VAST Cluster supports SMB 3.0 encryption, which helps protect in-flight data on non-secure networks.
By default, SMB encryption is disabled. You can enable it and select an encryption policy per tenant:
Available - Encryption is used only for SMB clients which have requested it explicitly. For clients that do not support encryption, access is allowed but no encryption is used.
Desired - The cluster uses encryption for any SMB client that supports encryption. For clients that do not support encryption, access is allowed but no encryption is used.
Required - SMB clients that do not support encryption are denied access.
If the tenant has SMB encryption enabled with one of the encryption policies set, you can override the tenant's setting by choosing a different encryption policy for a view.
A view cannot have a less strict encryption policy compared to that of the tenant. For example, if the tenant has Desired, the view can have Required but not Available.
An access denied error is returned if the cluster configuration stipulates use of encryption but the client does not use SMB 3.0, does not support encryption, or sends a non-encrypted packet.
Note
Enabling SMB encryption may result in up to 15% performance degradation compared to SMB signing.
To configure SMB encryption for a view:
In VAST Web UI, go to the SMB -> Encryption tab in view settings (Element Store -> Views -> choose to create or edit a view) and in the Set Activation Policy pane, select an encryption policy.
Note
The view must have the SMB protocol enabled.