Understanding SMB3: The Protocol Behind Secure Network Backups

When you connect your Mac to a network drive and Time Machine starts backing up, there is a sophisticated protocol working behind the scenes to make that transfer fast, reliable, and secure. That protocol is SMB3 — the Server Message Block protocol, version 3 — and it is the foundation that makes cloud-based Time Machine backups possible.

You do not need to understand SMB3 to use it (your Mac handles everything automatically), but understanding how it works can help you appreciate the security of your backups and make informed decisions about your data protection strategy. This article explains SMB3 in practical terms — what it does, why Apple chose it, and how it keeps your backup data safe.

What Is SMB?

SMB (Server Message Block) is a network file sharing protocol. In simple terms, it is the language that computers use to share files over a network. When you access a shared folder on your office network, browse files on a NAS (Network Attached Storage), or connect to a file server, SMB is almost certainly the protocol making it happen.

SMB was originally developed by IBM in the 1980s and later extended significantly by Microsoft. Despite its origins in the Windows ecosystem, SMB has become a cross-platform standard. macOS, Linux, and virtually every network storage device supports it.

A Brief History

• SMB1 (1983-2006) — the original version. Functional but slow and with significant security vulnerabilities. Apple and Microsoft have both deprecated SMB1 due to its security risks.
• SMB2 (2006) — a major rewrite that improved performance, reduced chattiness (fewer network round trips), and added better error handling. Introduced with Windows Vista.
• SMB3 (2012) — added encryption, improved performance for wide-area networks, and introduced features essential for cloud storage. This is the version used by modern macOS for network backups.
• SMB 3.1.1 (2015) — the latest revision, adding pre-authentication integrity checks and requiring secure negotiation. Supported by macOS Catalina and later.

Why Apple Uses SMB3 for Time Machine Network Backups

Apple's history with network file sharing is interesting. For many years, macOS used its own protocol called AFP (Apple Filing Protocol) for network file sharing and Time Machine network backups. The now-discontinued Time Capsule device used AFP exclusively.

Starting with macOS Big Sur, Apple began transitioning Time Machine network backups from AFP to SMB3. By macOS Monterey, SMB3 became the preferred protocol for Time Machine network destinations. There were several reasons for this shift:

1. Built-In Encryption

SMB3 includes native transport encryption using AES-128-CCM or AES-128-GCM. This means all data traveling between your Mac and the backup server is encrypted at the protocol level — no additional VPN or encryption layer is strictly necessary (though adding one provides defense in depth).

AFP supported encryption too, but SMB3's implementation is more modern, better tested, and more widely reviewed by the security community.

2. Better Performance Over the Internet

SMB3 was designed with wide-area network performance in mind. It includes features like:

• Multichannel support — using multiple network connections simultaneously for higher throughput
• Large MTU support — larger data packets mean fewer round trips and better efficiency
• Directory leasing — caching directory listings to reduce unnecessary network traffic
• Improved compounding — batching multiple operations into single requests

These features are particularly important for cloud backup, where the network path between your Mac and the server may traverse multiple networks and have higher latency than a local connection.

3. Industry Standard

By adopting SMB3, Apple aligned with a widely supported industry standard. This means Time Machine can work with any SMB3-compatible server — not just Apple-made hardware. It opened the door for services like Capsule Backup to provide cloud-hosted Time Machine destinations without requiring proprietary Apple server software.

4. Resilient Connections

SMB3 introduced transparent failover and persistent handles. If the network connection is temporarily interrupted (your Wi-Fi drops for a moment, your ISP has a brief hiccup), SMB3 can resume the session without starting over. This is critical for backup operations that may transfer large amounts of data over potentially unstable internet connections.

How SMB3 Encryption Works

Understanding the encryption in SMB3 requires looking at two distinct phases: authentication and data transfer.

Authentication

When your Mac connects to an SMB3 server, it first needs to prove its identity. SMB3 supports several authentication methods:

• NTLMv2 — a challenge-response authentication protocol that never sends your password over the network
• Kerberos — a ticket-based authentication system used in enterprise environments

In both cases, your password is never transmitted in plain text. The authentication process uses cryptographic challenges and responses that prove you know the password without revealing it.

Transport Encryption

Once authenticated, SMB3 encrypts all data in transit using AES-128-CCM or AES-128-GCM (with SMB 3.1.1 supporting AES-256-CCM and AES-256-GCM). This means:

• Every file transferred between your Mac and the backup server is encrypted
• Every command (create file, delete file, read directory) is encrypted
• File names, metadata, and directory structures are all encrypted in transit
• Anyone intercepting the network traffic sees only encrypted data

This is transport-layer encryption — it protects data while it is moving across the network. It is comparable to HTTPS for web traffic. Your data cannot be read or modified by anyone who intercepts it between your Mac and the server.

The Distinction: Transport vs. At-Rest Encryption

SMB3 encryption protects data in transit. For data at rest (stored on the backup server), you need an additional layer: Time Machine encryption.

When you enable Time Machine encryption (which we strongly recommend for cloud backups), Time Machine encrypts the entire backup image using AES-XTS-128 before sending it to the server. This means your backup data is encrypted on the server's disk — even the server administrator cannot read your files without your Time Machine encryption password.

With both layers active, your data is:

• Encrypted on your Mac (Time Machine encryption)
• Encrypted during transfer (SMB3 transport encryption)
• Encrypted on the server (Time Machine encryption at rest)

For additional security options including VPN and IP whitelisting, see our security page.

SMB3 vs. Other Protocols for Backup

SMB3 vs. AFP (Apple Filing Protocol)

AFP was Apple's proprietary file sharing protocol, used by Time Capsule and macOS Server. While AFP worked well within Apple's ecosystem, it had limitations:

• Proprietary — limited server-side implementations
• Less community security review than SMB3
• Apple has officially deprecated AFP in favor of SMB
• No longer actively developed

SMB3 is the clear successor, and Apple's transition to it has been a positive move for both compatibility and security.

SMB3 vs. SFTP/SCP

SFTP and SCP are secure file transfer protocols commonly used in server administration. While they provide strong encryption, they are file transfer protocols, not file sharing protocols. The difference matters:

• SFTP/SCP transfer files — SMB3 presents a file system
• Time Machine requires a mounted file system (a drive that appears in Finder)
• SMB3 supports the random access patterns that Time Machine uses for incremental backups
• SMB3 handles file locking, which is essential for backup integrity

SMB3 vs. WebDAV

WebDAV is a file sharing protocol built on HTTP. While it works over the internet and supports HTTPS encryption, it is significantly slower than SMB3 for backup operations due to its HTTP overhead and lack of features like compounding and multichannel support.

SMB3 vs. NFS

NFS (Network File System) is widely used in Linux/Unix environments. While NFS4 supports encryption via Kerberos, it is not natively supported by macOS's Time Machine. SMB3 is the protocol Apple has chosen for Time Machine network backups, making it the only practical choice for cloud-based Mac backup.

SMB3 in Practice: How Your Cloud Backup Works

Here is what actually happens when your Mac backs up to a cloud SMB3 server like Capsule Backup:

1. Connection establishment: Your Mac initiates an SMB3 connection to the server. The protocol version is negotiated (your Mac and server agree on the highest common version).
2. Authentication: Your credentials are verified using NTLMv2 challenge-response authentication. Your password never crosses the network.
3. Encryption activation: SMB3 transport encryption is enabled. All subsequent communication is encrypted.
4. Volume mount: The backup volume appears in Finder as a mounted drive. macOS treats it identically to a local drive.
5. Time Machine operation: Time Machine scans your Mac for changes since the last backup, then writes only the changed files to the mounted volume. The Time Machine encryption layer encrypts this data before it reaches SMB3 for transport.
6. Completion: Time Machine records the backup timestamp and goes dormant until the next hourly cycle.

The entire process is transparent. You never see SMB3 commands, encryption handshakes, or protocol negotiations. You see a drive in Finder and a "Last backup" timestamp in your menu bar.

Performance Considerations

SMB3 was engineered for performance, but backup speed over the internet is ultimately limited by your network connection. Here are the factors that affect cloud backup performance:

Your Internet Upload Speed

This is almost always the bottleneck. Capsule Backup servers are connected via 1 Gbps fiber with no bandwidth limits, so the server side is rarely the limiting factor. Your ISP's upload speed determines how fast data gets from your Mac to the server.

Network Latency

SMB3 is less sensitive to latency than older SMB versions thanks to compounding and pipelining. However, very high latency (>200ms) can affect performance. Choosing a data region close to your location (Germany, Finland, or USA) minimizes latency.

File Size Distribution

Backing up many small files is slower per-megabyte than backing up fewer large files, because each file requires individual protocol operations. Time Machine mitigates this by using sparse bundle images that batch small changes.

Encryption Overhead

The combined overhead of Time Machine encryption and SMB3 transport encryption is minimal on modern Mac hardware. Apple Silicon chips include hardware AES acceleration, making encryption essentially free from a performance perspective.

Security Best Practices for SMB3 Backups

While SMB3 provides strong security by default, here are additional steps to maximize protection:

1. Always enable Time Machine encryption — this encrypts your data at rest on the server
2. Use a strong password for both your backup account and Time Machine encryption
3. Consider VPN access — Capsule Backup includes WireGuard and OpenVPN support for an additional encryption layer
4. Enable IP whitelisting — restrict access to your backup volume to specific IP addresses
5. Store credentials securely — save your SMB and Time Machine encryption passwords in a password manager, not just in your Mac's Keychain (which would be lost if your Mac dies)

The Bottom Line

SMB3 is the technological foundation that makes cloud Time Machine backup practical, secure, and seamless. Its built-in encryption, resilient connections, and high performance over wide-area networks mean your Mac can back up to a server thousands of miles away with the same ease and security as backing up to a local drive.

You do not need to think about SMB3 any more than you think about HTTPS when browsing the web. It simply works — encrypting your data, maintaining your connection, and ensuring your backup arrives safely. And that reliability is exactly what you want from the protocol protecting your most important data.

For step-by-step setup instructions, visit our setup guide. For more on how Capsule Backup uses SMB3, see our features overview.