This parameter controls whether a client should try or is required to use SMB encryption. It has different effects depending on whether the connection uses SMB1 or SMB3: If the connection uses SMB1, then this option controls the use of a Samba-specific extension to the SMB protocol introduced in Samba 3.2 that makes use of the Unix extensions. If the connection uses SMB2 or newer, then this option controls the use of the SMB-level encryption that is supported in SMB version 3.0 and above and available in Windows 8 and newer. This parameter can be set globally. Possible values are off, if_required, desired, and required. A special value is default which is the implicit default setting of if_required. Effects for SMB1 The Samba-specific encryption of SMB1 connections is an extension to the SMB protocol negotiated as part of the UNIX extensions. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys. Currently this is only supported smbclient of by Samba 3.2 and newer. Windows does not support this feature. When set to default, SMB encryption is probed, but not enforced. When set to required, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated. Effects for SMB3 and newer Native SMB transport encryption is available in SMB version 3.0 or newer. It is only used by Samba if client max protocol is set to SMB3 or newer. These features can be controlled with settings of client smb encrypt as follows: Leaving it as default, explicitly setting default, or setting it to if_required globally will enable negotiation of encryption but will not turn on data encryption globally. Setting it to desired globally will enable negotiation and will turn on data encryption on sessions and share connections for those servers that support it. Setting it to required globally will enable negotiation and turn on data encryption on sessions and share connections. Clients that do not support encryption will be denied access to the server. Setting it to off globally will completely disable the encryption feature for all connections. default