Samba SMB Encryption - How safe is it?
Solution 1
You could see the Encryption in SMB 3.0: A protocol perspective and Encryption in SMB3 for technical details, but I think the fact that Azure Files allows mounting over the Internet using (only) SMB3 is a sign that Microsoft thinks it's secure.
Solution 2
But I wondered if I could access this shared drive over the internet since I also use a Win10 PC at school.
Samba is a file and print sharing service, i would NEVER ask it to do encryption. If you want to encrypt information between you and Samba (wise choice), i would advice creating an SSH tunnel from your school computer when you are using a public network to the Samba machine.
Their is alot of good explanations on what an SSH tunnel is, how to setup and when to use, and it is designed to do encryption of information between two endpoints, that is what SSH does.
Examples on what SSH tunnel is
- https://www.youtube.com/results?search_query=what+is+ssh+tunnel
- https://www.youtube.com/watch?v=zlv9dI-9g1U
How to make a Windows SSH tunnel
Also write what operating system the machine that runs Samba is installed with. Ubuntu, Fedora, Windows something else? So people can give you the best answers possible.
How strong is SSH encryption?
Strong and secure enough for even goverments to use it.
Solution 3
This question is several years old, but I will try to contribute something recent. The current configuration smb.conf is this (at least it works on Ubuntu 20.04):
[global]
# smb v4.14 and later
server signing = mandatory
server min protocol = SMB3
server smb encrypt = required
# smb v4.13 or earlier
smb encrypt = required
Note: run in terminal samba -V and comment out the line that does not correspond to your version
In my opinion it is quite safe, however in Windows clients it is recommended to execute the following registry keys:
open cmd with administrative privileges and run
reg add "HKLM\System\CurrentControlSet\services\LanmanServer\Parameters" /v "RequireSecuritySignature" /t REG_DWORD /d 1 /f
reg add "HKLM\System\CurrentControlSet\services\LanmanServer\Parameters" /v "EnableSecuritySignature" /t REG_DWORD /d 1 /f
for more information check Samba Full Audit
Note: Windows like Samba change these parameters with each version without prior notice, therefore this answer may be obsolete in 6 months
Robin Mayer
Updated on September 18, 2022Comments
-
Robin Mayer almost 2 years
I recently set up a Samba server on Linux that allows me to access files on this server on Win10 PCs in my local network. But I wondered if I could access this shared drive over the internet since I also use a Win10 PC at school.
I set the following in my section:
[global] workgroup = workgroup security = user encrypt passwords = true smb encrypt= requiredHow good is the SMB encryption really? SMB was known as unsafe for public networking but since SMB3 there's encryption availeable and I wondered how secure this might be.
Thanks in advance.
-
Aenfa almost 3 yearsSamba over SSH on Windows isn’t possible unless a loopback adapter is installed on the local computer due to the port clash issue.
