| From: | Vipin Madhusoodanan <vipin(dot)madhusoodanan(at)gmail(dot)com> |
|---|---|
| To: | Tim Cross <theophilusx(at)gmail(dot)com> |
| Cc: | raf <raf(at)raf(dot)org>, pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: How to encrypt password in pgpass file |
| Date: | 2021-02-24 20:24:56 |
| Message-ID: | CAPOO3u4RYAiAWyh5FnUXuw5oi5R=wA-zGEWRtK05+XoZ0tV+UA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Thank you all for the valuable inputs.
We will work on integrating with our password vault and eliminate using
pgpass file for authentication.
Thanks,
Vipin
On Wed, Feb 24, 2021, 12:12 AM Tim Cross <theophilusx(at)gmail(dot)com> wrote:
>
> raf <raf(at)raf(dot)org> writes:
>
> > On Wed, Feb 24, 2021 at 11:27:45AM +1100, Tim Cross <
> theophilusx(at)gmail(dot)com> wrote:
> >
> >> Vipin Madhusoodanan <vipin(dot)madhusoodanan(at)gmail(dot)com> writes:
> >>
> >> > Hi Team,
> >> >
> >> > We have a security requirement to encrypt passwords in .pgpass file.
> Could you please advise on the options and steps to be followed to achieve
> this.
> >> >
> >>
> >> Basically, don't use .pgpass. I think .pgpass should be viewed as old
> >> legacy solution which is not terribly compatible with today's security
> >> requirements. I don't think there is support for encrypting the .pgpass
> >> file. Even if you could encrypt the .pgpass file, you would then need to
> >> decrypt it with a passpharase anyway (you could have a key which has no
> >> passpharase, but if that is on the same system, what have you achieved
> >> apart from a false sense of security).
> >>
> >> How to best solve your requirement depends on the specifics of your
> >> requirement. However, often you can implement something more secure by
> >> using environment variables which are set for the process the psql (or
> >> whatever) command executes in. The value for the variable can be
> >> obtained from a secure source, such as a keyring, ldap server, gpg
> >> encrypted file etc.
> >
> > Sometimes, the security requirements are for
> > encryption-at-rest, and it doesn't particularly matter
> > if encryption-at-rest is actually secure against likely
> > threats (sadly).
> >
> > For example, you could use file system encryption (e.g.
> > ecryptfs/LUKS/Linux, FileVault/macOS,
> > BitLocker/Windows). Then all of your files are
> > encrypted at rest, including .pgpass.
> >
>
> Yep, exactly why I said it depends on the specifics of your
> requirements. The sad truth is there are some really poor 'security
> experts' out there and a lot of snake oil sellers making ridiculous sums
> of money for providing poor advice. Often, it is just a box ticking
> exercise that does little to improve, sometimes even weakens, security.
>
> My guess with this one is it is probably something like "No passwords
> will be stored as plain text" or even worse, all passwords must be
> encrypted, which is funny when you think most passwords are not
> envrypted, but instead stored as 1-way hashes.
>
> --
> Tim Cross
>
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | dbatoCloud Solution | 2021-02-25 09:36:43 | unable to kill locked user session! |
| Previous Message | Tim Cross | 2021-02-24 06:04:35 | Re: How to encrypt password in pgpass file |