On 02/21/2014 11:52 PM, Christopher Browne wrote:
>
> The thing you could do instead that would *look* like it is encrypted is
> to use a certificate (e.g. - SSL). The certificate that you'd need to
> put on the client still needs to be in something that is effectively
> plain text (however much it looks like nonsensical encrypted text).
Yep, though the certificate private key may well be stored encrypted
with a passphrase that must be entered via direct user interaction.
It looks like doing it with OpenSSL for libpq you might be able to set a
passphrase callback routine to prompt the user to decrypt a client
certificate. With PgJDBC you use JSSE's keystore support.
Client certificates are a *much* stronger way to do this. Another good
option can be Kerberos. Either way, encrypting .pgpass seems utterly
pointless.
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
