From 044015c7b45efb71432e4c5e9a4accf860a912ce Mon Sep 17 00:00:00 2001
From: Dominic <147548585+7CqKcKvfAf@users.noreply.github.com>
Date: Sun, 11 Jan 2026 18:48:57 +0100
Subject: [PATCH 1/2] Add smb encrypted option

---
 samba/CHANGELOG.md                     |  4 ++++
 samba/DOCS.md                          |  7 +++++++
 samba/config.yaml                      |  4 +++-
 samba/rootfs/usr/share/tempio/smb.gtpl | 12 ++++++++++--
 samba/translations/en.yaml             |  6 ++++++
 5 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/samba/CHANGELOG.md b/samba/CHANGELOG.md
index 0f9bd4a21..cd0e1ed54 100644
--- a/samba/CHANGELOG.md
+++ b/samba/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 12.5.5
+
+- Add option for setting smb encrypted parameter
+
 ## 12.5.4
 
 - Fix invalid inverted commas in server signing parameter
diff --git a/samba/DOCS.md b/samba/DOCS.md
index 7e67bb0bb..eed360448 100644
--- a/samba/DOCS.md
+++ b/samba/DOCS.md
@@ -107,6 +107,13 @@ This can cause issues with file systems that do not support xattr such as exFAT.
 
 Defaults to `true`.
 
+### Option: `encryption`
+
+Configure the SMB encryption requirement. This option encrypts all traffic between client and server and prevents guest access if set to required.
+Refer to the man page for smb.conf for detailed information about the values: **off**, **desired** and **required**.
+
+Defaults to `desired`.
+
 ### Option: `server_signing`
 
 Configure the SMB server signing requirement. This option can improve security by requiring message signing, which helps prevent man-in-the-middle attacks.
diff --git a/samba/config.yaml b/samba/config.yaml
index 0b53621b9..b0ac589cc 100644
--- a/samba/config.yaml
+++ b/samba/config.yaml
@@ -1,5 +1,5 @@
 ---
-version: 12.5.4
+version: 12.5.5
 slug: samba
 name: Samba share
 description: Expose Home Assistant folders with SMB/CIFS
@@ -37,6 +37,7 @@ options:
     - ssl
   compatibility_mode: false
   apple_compatibility_mode: true
+  encryption: "desired"
   server_signing: "default"
   veto_files:
     - ._*
@@ -60,6 +61,7 @@ schema:
     - "match(^(?i:(addons|addon_configs|backup|config|media|share|ssl))$)"
   compatibility_mode: bool
   apple_compatibility_mode: bool
+  encryption: list(off|desired|required)
   server_signing: list(default|auto|mandatory|disabled)
   veto_files:
     - str
diff --git a/samba/rootfs/usr/share/tempio/smb.gtpl b/samba/rootfs/usr/share/tempio/smb.gtpl
index 6b00b14c3..099fb8d55 100644
--- a/samba/rootfs/usr/share/tempio/smb.gtpl
+++ b/samba/rootfs/usr/share/tempio/smb.gtpl
@@ -18,10 +18,20 @@
    interfaces = lo {{ .interfaces | join " " }}
    hosts allow = 127.0.0.1 {{ .allow_hosts | join " " }}
 
+   smb encrypt = {{ .encryption }}
+   {{ if eq .encryption "required" }}
+   client min protocol = SMB3
+   client max protocol = SMB3
+   server min protocol = SMB3
+   server max protocol = SMB3
+   server signing = auto
+   {{ else }}
+   server signing = {{ .server_signing }}
    {{ if .compatibility_mode }}
    client min protocol = NT1
    server min protocol = NT1
    {{ end }}
+   {{ end }}
 
    mangled names = no
    dos charset = CP850
@@ -31,8 +41,6 @@
    vfs objects = catia fruit streams_xattr
    {{ end }}
 
-   server signing = {{ .server_signing }}
-
 {{ if (has "config" .enabled_shares) }}
 [config]
    browseable = yes
diff --git a/samba/translations/en.yaml b/samba/translations/en.yaml
index d350494ee..cfc9dd54d 100644
--- a/samba/translations/en.yaml
+++ b/samba/translations/en.yaml
@@ -33,6 +33,12 @@ configuration:
       Enable Samba configurations to improve interoperability with Apple
       devices. May cause issues with file systems that do not support xattr
       such as exFAT.
+  encryption:
+    name: Encryption
+    description: >-
+      Configure SMB encryption.
+      SMB3 protocol is used if set to required.
+      Compatibility mode option will be ignored in this case.
   server_signing:
     name: Server signing
     description: >-

From 8560adff70c7cc94873d72c55df6954275f36daf Mon Sep 17 00:00:00 2001
From: Dominic <147548585+7CqKcKvfAf@users.noreply.github.com>
Date: Sun, 11 Jan 2026 19:29:27 +0100
Subject: [PATCH 2/2] Enforce server signing when encryption is required

---
 samba/rootfs/usr/share/tempio/smb.gtpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samba/rootfs/usr/share/tempio/smb.gtpl b/samba/rootfs/usr/share/tempio/smb.gtpl
index 099fb8d55..460db2592 100644
--- a/samba/rootfs/usr/share/tempio/smb.gtpl
+++ b/samba/rootfs/usr/share/tempio/smb.gtpl
@@ -24,7 +24,7 @@
    client max protocol = SMB3
    server min protocol = SMB3
    server max protocol = SMB3
-   server signing = auto
+   server signing = mandatory
    {{ else }}
    server signing = {{ .server_signing }}
    {{ if .compatibility_mode }}