You can use the gtwcontrol RequireConfidentiality flag to require the use of encryption globally, for all messages between the client and database.
To enable this functionality, use gtwcontrol:
gtwcontrol -x YES
If the system is set up with host groups, which are separate Teradata Gateways for groups of IP addresses, you can set the confidentiality requirement separately for each host group, for example:
gtwcontrol -x YES -g [host_ID]
Also see Restricting Logons by Host Group, and Gateway Control (gtwcontrol) in Utilities.
If no other confidentiality policy applies, a session that is subject to the RequireConfidentiality flag uses the DEFAULT QOP, as configured in the TdgssUserConfigFile.xml.
Teradata Tools and Utilities (TTU) 14.10 and higher clients: If the RequireConfidentiality flag is set, the gateway server sends the security policy information in the logon response back to the client, informing the client interface (such as ODBC, JDBC, CLI, or .NET Data Provider) that all requests must be encrypted for this session. TTU 14.10 and higher client interfaces are able to read and comply with the security policy information in the logon response. This means the client silently follows the policy and encrypts the messages, whether or not the application enables or disables the data encryption option. So messages are automatically encrypted even though the enable data encryption option was not set. For example, if the user did not set the ODBC DSN encrypt option and RequireConfidentiality is set, messages are encrypted.
If other security policies that require the use of a stronger QOP also apply to the session, the system defers to the stronger QOP.
TTU Pre-14.10 clients: TTU pre-14.10 client interfaces do not understand the security policy, so these clients cannot read the security policy sent back in the logon response by the Teradata Database 14.10 or higher server when the RequireConfidentiality flag is set. So, the user must explicitly enable data encryption in TTU pre-14.10 client applications and drivers when connecting to the database server when the RequireConfidentiality flag is set. Failure to explicitly enable the data encryption option in TTU pre-14.10 clients causes the gateway to send an error and terminate the session.