Re: PostgreSQL with SSL - Mailing list pgsql-admin

From Tom Lane
Subject Re: PostgreSQL with SSL
Date
Msg-id 24692.1271367015@sss.pgh.pa.us
Whole thread Raw
In response to Re: PostgreSQL with SSL  (Jose Berardo <joseberardo@gmail.com>)
Responses Re: PostgreSQL with SSL
List pgsql-admin
Jose Berardo <joseberardo@gmail.com> writes:
>>> - Is it possible to store the server.key in a ciphered  file with

>> No.

> I believe that it may be a good idea, it may bring another security level,

Not really.

> Just saving the private key file inside the cluster with no privilegies for
> other users (the server suggests 0600 mask for it) is still sufficient to
> protected the key?

If someone can access that file, they can also attach to the running
server process and pull the decrypted key out of it.  In any case,
providing the server with the key to decrypt the ssl key is not going
to be convenient in operation.  You're not going to want to store that
key on disk are you?  Do you want somebody around to manually provide
it every time the server restarts?  That gets old pretty fast, when
all it's buying you is a largely-imaginary security gain.

            regards, tom lane

pgsql-admin by date:

Previous
From: Jose Berardo
Date:
Subject: Re: PostgreSQL with SSL
Next
From: Frederiko Costa
Date:
Subject: Wal Segment files Backup Strategy for archiving