You can use the gtwcontrol RequireConfidentiality flag to require the use of encryption globally, for all messages between the client and database.
To enable this functionality, use gtwcontrol:
gtwcontrol -x YES
If the system is set up with host groups, which are separate Vantage gateways for groups of IP addresses, you can set the confidentiality requirement separately for each host group, for example:
gtwcontrol -x YES -g [host_ID]
Also see Restricting Logons by Host Group, and Gateway Control (gtwcontrol) in Teradata Vantage™ - Database Utilities, B035-1102.
If no other confidentiality policy applies, a session that is subject to the RequireConfidentiality flag uses the DEFAULT QOP, as configured in the TdgssUserConfigFile.xml.
Teradata Tools and Utilities (TTU) clients: If the RequireConfidentiality flag is set, the gateway server sends the security policy information in the logon response back to the client, informing the client interface (such as ODBC, JDBC, CLI, or .NET Data Provider for Teradata) that all requests must be encrypted for this session. TTU client interfaces are able to read and comply with the security policy information in the logon response. This means the client silently follows the policy and encrypts the messages, whether or not the application enables or disables the data encryption option. So messages are automatically encrypted even though the enable data encryption option was not set. For example, if the user did not set the ODBC DSN encrypt option and RequireConfidentiality is set, messages are encrypted.
If other security policies that require the use of a stronger QOP also apply to the session, the system defers to the stronger QOP.