From: | David Steele <david(at)pgmasters(dot)net> |
---|---|
To: | pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re: pgbackrest - hiding the encryption password |
Date: | 2021-05-19 19:04:26 |
Message-ID: | 1f0c3412-b101-3e36-1597-37d1d8f3f577@pgmasters.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 5/19/21 2:48 PM, Ron wrote:
> On 5/19/21 1:34 PM, David Steele wrote:
>> On 5/19/21 1:49 PM, Ron wrote:
>>>
>>> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root
>>> and 633 perms. Normally, that's ok, but is a horrible idea when it's
>>> a plaintext file, and stores the pgbackrest encryption password.
>>>
>>> Would pgbackrest (or something else) break if I change it to
>>> postgres:postgres 600 perms?
>>
>> Nothing will break as far as I know. As long as pgbackrest can read
>> the file it will be happy.
>>
>>> Is there a better way of hiding the password so that only user
>>> postgres can see it?
>>
>> You could use an environment variable in postgres' environment, see
>> https://pgbackrest.org/command.html#introduction.
>>
>> In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx
>
> Similarly there's PGBACKREST_REPO1_CIPHER_TYPE?
All options can be set through the environment. See the link for details.
Regards,
--
-David
david(at)pgmasters(dot)net
From | Date | Subject | |
---|---|---|---|
Next Message | Bryn Llewellyn | 2021-05-20 00:50:07 | Re: The contents of the pg_timezone_names view bring some surprises |
Previous Message | Ron | 2021-05-19 19:03:04 | Re: pgbackrest - hiding the encryption password |