Re: Service configuration file and password security

On 02/16/2017 05:57 AM, JP Jacoupy wrote:
> Hello,
>
> This might seem a pretty novice question but I can't find an answer.
>
> Can the password be stored in an encrypted way inside a service
> configuration file?

To be clear you are talking about this, correct?:

https://www.postgresql.org/docs/9.6/static/libpq-pgservice.html

If so then no as I understand it. Assuming you have password
authentication set up to md5, libpq takes care of doing the md5-hash
before sending it to the server. You do have the following options:

1) https://www.postgresql.org/docs/9.6/static/libpq-pgpass.html

2) https://www.postgresql.org/docs/9.6/static/libpq-envars.html

PGPASSWORD behaves the same as the password connection parameter. Use of
this environment variable is not recommended for security reasons, as
some operating systems allow non-root users to see process environment
variables via ps; instead consider using the ~/.pgpass file (see Section
32.15).

PGPASSFILE specifies the name of the password file to use for lookups.
If not set, it defaults to ~/.pgpass (see Section 32.15).

2) And coming in version 10:
http://paquier.xyz/postgresql-2/postgres-10-pgpassfile-connection/

>
> --
> Jacoupy Jean-Philippe
>
>
> Sent from ProtonMail <https://protonmail.ch>, encrypted email based in
> Switzerland.
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com