How can I create a secure connection with teradatasql

Question

I am using the teradatasql 17.20.0.32 Python package to connect to Teradata via Python.

The documentation shows a lot of connection parameters and with my limited knowledge of security concepts I am not sure if how I am using the Python package is a secure way.

From my perspective a secure way to connect to the daatabase is if we are using a secure protocol like https or tls or if the data is encrypted. (Feel free to add your viewpoint on this)

My code looks like this:

conn = teradatasql.connect(host=host, user=user_name, password=password)
cursor = conn.cursor()
cursor.autocommit = True
try:
  [... execute some queries here..]       
finally:
  cursor.close()
  conn.close()

I have read about the encryptdata parameter that can be given to the to the connect function:

conn = teradatasql.connect(host=host, user=user_name, password=password, encryptdata=True)

But I am not sure if this really does the trick.

So in short I have two questions:

1. What is considered a secure connection
2. How can I establish such a secure connection while using password and username authentication.

Answer 1

I would just replace or with and in your question string secure protocol like https or tls or if the data is encrypted

Both the login and the data transmission should be encrypted at transit.

Unencrypted client connection call with leave the password vulnerable to sniffing kind of attacks.

If only login is encrypted, it leaves the data call venerable to sniffing or man in the middle type of attacks

I have not used the python driver but in the documentation they do state

Our goal is consistency for the connection parameters offered by this driver and the Teradata JDBC Driver, with respect to connection parameter names and functionality.

Short answer is setting the encryptdata=True parameter should be enough, because as per the Java Documentation

The Teradata JDBC Driver always uses encrypted logons, meaning that the logon password is encrypted in transit over the network to the database.

The Teradata JDBC Driver provides the ENCRYPTDATA connection parameter to turn data encryption on or off for the connection. In this context, "data encryption" refers to the encryption of non-logon message traffic. By default, the Teradata JDBC Driver only encrypts logons, and does not encrypt non-logon message traffic. Specify the JDBC connection parameter ENCRYPTDATA=ON for the Teradata JDBC Driver to encrypt non-logon message traffic.

Though I would highly recommend Trust but Verify and use a packet sniffer like Wireshark to test the communication. For it there is a similar thread on SO that should help

Answer 2

Yes, you are correct. Specify the encryptdata=True connection parameter to ensure that message traffic is encrypted for non-HTTPS connections.

If your Teradata database is configured to offer HTTPS connections, then the teradatasql Python driver will use an HTTPS connection automatically.

If the teradatasql Python driver connects to the database via an HTTPS connection, the encryptdata connection parameter is simply ignored, because all message traffic is encrypted with an HTTPS connection.

Answer 3

The driver defaults to sslmode=prefer so if the database has TLS configured and enabled then both the logon credentials and any data being transmitted will be encrypted using TLS. If you set sslmode=require then the logon would fail if TLS was not available.

If TLS has not been enabled, the logon credentials will be encrypted using legacy TeraGSS encryption. In addition, if the database gateway has the "confidentiality required" flag set or if the client requests encryptdata=true (or both) then the data will also be encrypted using TeraGSS. Otherwise the data will not be encrypted.