Re: Storing the password in .pgpass file in an encrypted format

Hi,

On 21 Únor 2014, 16:52, Christopher Browne wrote:
> On Fri, Feb 21, 2014 at 7:49 AM, firoz e v <firoz(dot)ev(at)huawei(dot)com> wrote:
>
>> Hi,
>>
>>
>>
>> Is there a way to store the password in ".pgpass" file in an encrypted
>> format (for example, to be used by pg_dump).
>>
>>
>>
>> Even though, there are ways to set the permissions on .pgpass, to
>> disallow
>> any access to world or group, the security rules of many organizations
>> disallow to hold any kind of passwords, as plain text.
>>
>>
>>
>> If there is no existing way to do this, shall we take up this, as a
>> patch?
>>
>
> As observed by others, storing the password in encrypted form in .pgpass
> merely means that you need to store the password to decrypt .pgpass in
> still another file that would, again, run afoul of such security policies.
> There is no appetite in the community to do implementation work that is
> provably useless as it cannot accomplish what people imagine to
> accomplish.

Sure. If you want to log-in without any user interaction, then the
password needs to be stored is a form equal to cleartext (e.g. with a
key). It's mostly security by obscurity.

What I think might be useful and safe at the same time is encrypted
.pgpass with tools asking for the encryption key. Think of it as a simple
passord wallet - not really useful if you're connecting to a single
database, very useful if you have many as you only need to remember the
single password.

If the encrypted passwords were stored in a separate file (say
.pgpass.wallet) then this should not break the current tools. The tools
would do this:

1) exists .pgpass?
1.a) read .pgpass -> is there a matching record? (yes -> stop)
2) exists .pgpass.wallet?
2.a) ask for encryption key
2.b) read .pgpass using the decryption key
2.c) is there a matching record? (yes -> stop)
3) ask for connection info directly

BTW yes, I know what kerberos is, but many of us are dealing with
companies that don't use it.

regards
Tomas