Re: pgbackrest - hiding the encryption password - Mailing list pgsql-general

From Ron
Subject Re: pgbackrest - hiding the encryption password
Date
Msg-id 601786c6-f601-81d1-0cff-5bdd783c96dd@gmail.com
Whole thread Raw
In response to Re: pgbackrest - hiding the encryption password  (Stephen Frost <sfrost@snowman.net>)
List pgsql-general
On 5/19/21 1:33 PM, Stephen Frost wrote:
> Greetings,
>
> * Ron (ronljohnsonjr@gmail.com) wrote:
>> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633
>> perms.  Normally, that's ok, but is a horrible idea when it's a plaintext
>> file, and stores the pgbackrest encryption password.
>>
>> Would pgbackrest (or something else) break if I change it to
>> postgres:postgres 600 perms?
> As long as it can be read by the user performing backups/restores and
> archive-push/archive-get, it should be fine.
>
>> Is there a better way of hiding the password so that only user postgres can
>> see it?
> This is a bit like asking how to 'hide' the encrypted private key for
> SSL/TLS.  Anywhere you hide it, if you want things to actually work in
> an automated fashion, is also going to need to be available all the
> time..  In particular, archive-push gets run a lot and you don't want
> that to fail or to wait for someone to provide an encryption key.

That's what I figured.  Thanks.


-- 
Angular momentum makes the world go 'round.



pgsql-general by date:

Previous
From: David Steele
Date:
Subject: Re: pgbackrest - hiding the encryption password
Next
From: Ron
Date:
Subject: Re: pgbackrest - hiding the encryption password