18

I have a heterogeneous system (both MS and *nix) that communicates with CIFS/SMB. How can I ensure proper data encryption at the application layer?

bstpierre
  • 4,868
  • 1
  • 21
  • 34
dalimama
  • 1,065
  • 1
  • 11
  • 21
  • 2
    I did a quick google search and founds lots of articles purporting to discuss this topic. Have you tried those and they don't work? If so, what issues are you having. If not, please do that first. – mikeazo Nov 24 '11 at 00:54
  • 1
    I did, most of them are pretty old and generally out-dated. (The newest ones are talking about win2000-unix interoperation), so I need a current view on that issue. – dalimama Nov 24 '11 at 06:54

3 Answers3

11

Use Samba 3.3.x+ and set server signing = [auto|mandatory|disabled] in the Global section (disabled by default). Share level SMB encryption is auto by default. This has been tested with WinXP/Win7 and AIX 5.3 running Samba 3.6.7. SMB encryption became available in Samba 3.2 but server signing did not appear until 3.3. These are required for Win7 clients configured to Microsoft's security recommendations (NTLMv2 and 128 bit encryption).

See: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Daniel Sokolowski
  • 125
  • 7
Mark Gray
  • 111
  • 1
  • 2
  • 2
    I have added `server signing = required` to my smbd.conf (I have version 3.6.3) and restarted smbd. But I can still watch my SMB traffic with Wireshark. What did I do wrong? The client machine is Windows 7. – utapyngo Oct 14 '12 at 14:26
  • Try `server signing = mandatory` as per http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html – Daniel Sokolowski Apr 17 '13 at 18:49
4

If it is at the "application layer" then it is done by applications, on what applications see, i.e. files. In other words, the applications shall choose a common format for encrypted files. Consider OpenPGP format as a starting point, and GnuPG as an opensource library and command-line utility which knows this format. You still have to decide what kind of security model you wish to enforce; a simple common key shared between the relevant installed applications might be enough, or not, depending on what you are trying to do (encryption is like medecine, it is not a single thing that can be generically applied everywhere; there are details).

If, on the other hand, you would like the applications themselves to be blissfully unaware of any encryption, such that the applications only see a "normal" CIFS/SMB which gets encrypted under the hood, then, by definition, this is not encryption "at the application layer" but at some other, deeper layer. I suggest using a VPN. IPsec is a security protocol which adds VPN-like features to IP, and which many operating systems implement (including Windows, and the non-prehistoric Unix-like). A VPN will be good if your intended security model is about attackers who spy on the communication lines between the involved machines; it will not help in the case of shared files if the machine on which the files are physically hosted is also potentially hostile.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
2

Although you may have figured this out, I was looking for the same information and might have found something a bit more helpful. What you appear to be looking for is "encrypted network transport", and it is available in Samba since version 3.2 (at least).

Sadly, it is bloody hard to find out how to set this up by looking at the docs (even the Samba Wiki does not appear to have info about it), but one way to do it is by using the -e option for smbclient. You may have better luck finding details about how to mount a Samba share using encryption, but I have been unable so far (I imagine it has more to do with server configuration than client configuration).

This page about SMB transport encryption in Windows may also be helpful.

Marcus P S
  • 121
  • 2
  • I think you found the answer, and the answer was no :). What you found was not implemented by MS, as requested in the question. "An innovation created by the Samba Team, Samba 3.2 has extended the CIFS/SMB protocol to allow transport encryption ... This extension to the CIFS/SMB protocol is open and available for other vendors to adopt." – sourcejedi Feb 10 '14 at 11:40
  • I confirmed that adding `-e` or `--encrypt` to `smbclient` does seem to force SMB traffic to encrypt. I used Wireshark and was unable to see directory listings in plain text when using these options. – Steve HHH Apr 17 '15 at 06:14