Search code examples
pythonsecurityteradatateradatasql

How can I create a secure connection with teradatasql

I am using the teradatasql 17.20.0.32 Python package to connect to Teradata via Python.

The documentation shows a lot of connection parameters and with my limited knowledge of security concepts I am not sure if how I am using the Python package is a secure way.

From my perspective a secure way to connect to the daatabase is if we are using a secure protocol like https or tls or if the data is encrypted. (Feel free to add your viewpoint on this)

My code looks like this:

conn = teradatasql.connect(host=host, user=user_name, password=password)
cursor = conn.cursor()
cursor.autocommit = True
try:
  [... execute some queries here..]       
finally:
  cursor.close()
  conn.close()

I have read about the encryptdata parameter that can be given to the to the connect function:

conn = teradatasql.connect(host=host, user=user_name, password=password, encryptdata=True)

But I am not sure if this really does the trick.

So in short I have two questions:

  1. What is considered a secure connection
  2. How can I establish such a secure connection while using password and username authentication.
Solution

  • I would just replace or with and in your question string secure protocol like https or tls or if the data is encrypted

    Both the login and the data transmission should be encrypted at transit.

    Unencrypted client connection call with leave the password vulnerable to sniffing kind of attacks.

    If only login is encrypted, it leaves the data call venerable to sniffing or man in the middle type of attacks

    I have not used the python driver but in the documentation they do state

    Our goal is consistency for the connection parameters offered by this driver and the Teradata JDBC Driver, with respect to connection parameter names and functionality.

    Short answer is setting the encryptdata=True parameter should be enough, because as per the Java Documentation

    The Teradata JDBC Driver always uses encrypted logons, meaning that the logon password is encrypted in transit over the network to the database.

    The Teradata JDBC Driver provides the ENCRYPTDATA connection parameter to turn data encryption on or off for the connection. In this context, "data encryption" refers to the encryption of non-logon message traffic. By default, the Teradata JDBC Driver only encrypts logons, and does not encrypt non-logon message traffic. Specify the JDBC connection parameter ENCRYPTDATA=ON for the Teradata JDBC Driver to encrypt non-logon message traffic.

    Though I would highly recommend Trust but Verify and use a packet sniffer like Wireshark to test the communication. For it there is a similar thread on SO that should help