Moderator
Moderator

Background

This article will explain about the details on encryption at Exasol Database.

It gives you answers for questions like :

Is data transfer through client connection encrypted by default or not?

How to check encryption is enabled in database?

How to enable/disable encryption?

What is the parameter forceProtocolEncryption used for

How to enforce encrypted client connections ? and so on..

 

Explanation

In Exasol database, when data is transferred through a network , the data is by default encrypted (from Exasol versions 6.0 and above). Exasol uses ChaCha20 encryption for JDBC, ODBC, ADO.NET, and CLI. For WebSockets, Exasol uses TLS v 1.2 encryption. 

On all clients and drivers, the encryption can be enabled by using their respective connection string parameters, for example:

  • EXAPlus: -encrpytion <ON|OFF>
  • JDBC: encryption=<1|0> (1 = on, 0= off, default is 1)
  • ODBC: ENCRYPTION=<"Y"|"N"> (Y is default)
  • ADO.NET: encryption=<ON|OFF> (on is default)

 

How to check if data transferred was encrypted or not:

One can check the ‘encrypted’ column in exa_dba_sessions or exa_dba_audit_sessions tables that encryption was set to true or false for that particular session.

 

The Parameter forceProtocolEncryption:

In addition to these driver properties, one can set a database parameter in EXAoperation to force incoming connections to be encrypted. The parameter is: -forceProtocolEncryption=1. This can be done while creating a database or setting it in Exaoperation and restarting the database again.

 

Further Clarifications:

If the parameter '-forceProtocolEncryption=1' is set to the database, it means that regardless of what the client requests, protocol encryption will be FORCED (i.e. required) by Exasol for the connection. If either Exasol or the client requests encryption, encryption will be used.

So we can conclude that no matter which client/driver you use, if the parameter '-forceProtocolEncryption=1' is set over the database, then all the connections are encrypted.

 

Additional notes:

With '-forceProtocolEncryption=1', clients are only rejected if they do not support encryption at all (e.g. older drivers).
An unencrypted connection is only allowed if both Exasol and the client disable encryption.

Having this parameter (forceProtocolEncryption=1) set, means that even if the client/driver side encryption is turned off then (with the exception of -- the driver being not old/does not support encryption) then the client/driver is forced to encrypt data. In other case (when this parameter would not have been set) then client/driver connection would be allowed to transfer data UNENCRYPTED.

 

Additional references:

https://docs.exasol.com/planning/data_security.htm?Highlight=encryption#GeneralConcepts

https://docs.exasol.com/sql_references/metadata/metadata_system_tables.htm

bug related to this topic: EXASOL-2649