Home > mailing lists

Have an encrypted pgpass file - Mailing list pgsql-hackers

From	Marco van Eck
Subject	Have an encrypted pgpass file
Date	July 18, 2018 23:46:26
Msg-id	CAE35ztOGZqgwae3mBA=L97pSg3kvin2xycQh=ir=5NiwCApiYQ@mail.gmail.com Whole thread Raw
Responses	Re: Have an encrypted pgpass file (Thomas Munro <thomas.munro@enterprisedb.com>) Re: Have an encrypted pgpass file (Alvaro Herrera <alvherre@2ndquadrant.com>)
List	pgsql-hackers

Tree view

Hi,

Since .pgpass files contain plain-text passwords, I searched for an alternative.

In the attached patch I've added the possibility to run a command to produce the content of the pgpass file, in exactly the same format. In this way I could use gpg or any other command to decrypt a pgpass file. It will prefer the .pgpass file and will not call the command.

This would be my environment variable, to have no plain-text password:

PGPASSCOMMAND="gpg -q -d pgpass.gpg"

Other usages of the variable:

PGPASSCOMMAND="cat pgpass"

PGPASSCOMMAND="curl http://passwords/really-unsecure-pgpass"

PGPASSCOMMAND="my-own-secure-pgpass-script"

The submitted patch does it's job, though the command could throw errors.

What do you think of this solution?

Best regards,

Marco van Eck

Attachment

pgpasscommand_v1.patch

pgsql-hackers by date:

From: Robert Haas
Date: 18 July 2018, 23:03:20
Subject: Re: ENOSPC FailedAssertion("!(RefCountErrors == 0)"

From: Tom Lane
Date: 19 July 2018, 00:05:17
Subject: Re: ENOSPC FailedAssertion("!(RefCountErrors == 0)"

Have an encrypted pgpass file - Mailing list pgsql-hackers

Attachment

Previous

Next