| From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
|---|---|
| To: | Tim Cross <theophilusx(at)gmail(dot)com> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: scram-sha-256 encrypted password in pgpass |
| Date: | 2020-06-23 01:53:06 |
| Message-ID: | 20200623015306.GA12369@alvherre.pgsql |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-general |
On 2020-Jun-23, Tim Cross wrote:
> If you need to use a password in a command line scenario (i.e. with a
> script), then one way to get around the issue of not storing plain text
> passwords is to use GPG. The basic model is
>
> - Create a GPG key and store it in a secure place, such as a keystore
> - Use that GPG key to encrypt your password in a file e.g. my-secret.gpg
> - In your script, you can have something like
>
> PWD = `gpg -q --for-your-eyes-only --no-tty -d ~/.secure/my-secret.gpg`
Perhaps the way to implement this is to have .pgpass be a named pipe,
and you have a program that produces lines from encrypted input after
requesting a passphrase from the user -- perhaps using gpg underneath.
I have vague recollections of this being discussed in the past.
For example, see this thread from 2013
https://www.postgresql.org/message-id/CAAZKuFaJUfdDFp1_vGHbDfYRu0Sj6mSOVvKRp87aCQ53ov6iwA@mail.gmail.com
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | vinod kale | 2020-06-23 03:12:38 | automatic switchover / switchback |
| Previous Message | Tim Cross | 2020-06-23 01:02:09 | Re: scram-sha-256 encrypted password in pgpass |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2020-06-23 07:37:38 | Re: scram-sha-256 encrypted password in pgpass |
| Previous Message | Tom Lane | 2020-06-23 01:43:21 | Re: Can the current session be notified and refreshed with a new credentials context? |