【Feature】Add seal option for smb shares

[babatonga]

I propose adding a setting to enable the 'seal' option for remote SMB(3) shares, enhancing privacy and security.

Details:

• Current support in Unraid version/Slackware 15 (see attached image).
• Empowers users to strengthen security for remote SMB shares.

Benefits:

• Increased privacy.
• Enhanced data protection

[dlandon]

I will research this.

[dlandon]

This is what I've found out so far: The 'seal' option, which enables SMB3 transport encryption when mounting a CIFS share, comes with certain considerations:

• Performance Overhead: Enabling encryption can introduce additional processing overhead on both the client and server sides. This may result in slightly reduced performance compared to unencrypted communication.

• Resource Consumption: Encrypting and decrypting data requires additional computational resources. Depending on the hardware and the volume of data being transferred, this could impact resource utilization.

• Compatibility: Ensure that both the client and server support SMB3 encryption. If one side doesn't support it, the connection may not be established, or fallback to a less secure option might occur.

• Debugging and Monitoring: Encrypting data makes it harder to inspect network traffic for debugging or monitoring purposes. If you rely on analyzing network packets for troubleshooting, encryption may add complexity.

• Latency: The encryption and decryption processes can introduce a small amount of latency in data transfer, which might be noticeable in scenarios where low-latency communication is crucial.

• Configuration Complexity: Managing encryption settings requires additional configuration. Incorrect configurations may lead to connectivity issues or unintended security vulnerabilities.

It's essential to weigh the benefits of enhanced security against these potential downsides. In situations where data security is a top priority, enabling encryption might be a reasonable trade-off. However, in environments where performance is critical and the network is considered secure, you may choose not to use the 'seal' option.

If I decide to do this, it would have to be a setting in UD Settings to enable/disable. I don't like adding too many configuration options because it can jus confuse users. I am also concerned about performance issues.

What is your use case? Why do you feel this is necessary on a local LAN?

[babatonga]

In a local LAN, this might not be necessary, but I am connecting a Storage Box from Hetzner over the Internet: https://docs.hetzner.com/robot/storage-box/access/access-samba-cifs/

The documentation recommends using the 'seal' option for encrypting SMB traffic.

So, having an option that defaults to false seems like a good idea, I believe. There could be a note indicating that this works only with SMB3 servers that support it and may not be necessary in a local LAN.

Alternatively, it would be great if unassigned.devices supports SSHFS for such purposes. But that would probably be another feature request and might require additional dependencies (such as sshfs).

[dlandon]

I'm adding a configuration to the Device Settings for SMB remote shares to set encryption by device:

[dlandon]

This will be in the next release of UD.