Server Message Block (SMB) file systems use authenticated encryption to protect against interception or tampering when data is transmitted between ECS instances and NAS file systems.

Usage notes

  • Operating systems supported by compute nodes
    On the compute nodes, you must use operating systems that support SMB 3.0 or later. The following table lists the operating systems.
    TypeVersion
    Windows Server
    • Windows Server 2012 R2 Datacenter 64-bit (Chinese version) and later
    • Windows Server 2012 R2 Datacenter 64-bit (English version) and later
    Alibaba Cloud Linux
    • Alibaba Cloud Linux 2 (kernel version: 4.19.34 and later)
    • Alibaba Cloud Linux 3
    Red HatRed Hat Enterprise Linux 7.5 64-bit and later
    CentOSCentOS 7.6 64-bit and later
    UbuntuUbuntu 18.04 64-bit and later
    DebianDebian 10.2 64-bit and later
    SUSE LinuxSUSE Linux Enterprise Server 12 SP2 64-bit and later
    OpenSUSEopenSUSE Leap 42.3 64-bit and later
    CoreOSCoreOS 4.19.43 and later
  • Permissions for in-transit encryption

    Anonymous users are not allowed to use the in-transit encryption feature. Only Active Directory (AD) users can use this feature after they mount SMB file systems.

  • Performance loss

    Compared with a file system for which you disable encryption in transit, a file system for which you enable encryption in transit can be accessed with a 10% more latency and 10% less IOPS.

Enable in-transit encryption

You can enable in-transit encryption for an SMB file system only if you use the access control list (ACL) for the SMB file system. The following table describes the parameters that you can specify to enable the feature.
ParameterDescription
Enable In-transit EncryptionSelect Yes to enable in-transit encryption for the SMB file system.
Deny Access from Non-encrypted ClientsConfigure the types of compute nodes that can access the SMB file system.
  • Yes: You can mount the SMB file system by using a compute node for which in-transit encryption is enabled. This means that you can use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.

    However, you cannot mount the SMB file system as an anonymous user or by using a compute node that does not support in-transit encryption.

  • No: You can mount the SMB file system from all types of compute nodes. However, the in-transit encryption feature can be enabled only if you use an AD account to mount the SMB file system on a compute node whose operating system supports in-transit encryption.
For more information, see Features.