Thread: pgbackrest - hiding the encryption password
Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633 perms. Normally, that's ok, but is a horrible idea when it's a plaintext file, and stores the pgbackrest encryption password. Would pgbackrest (or something else) break if I change it to postgres:postgres 600 perms? Is there a better way of hiding the password so that only user postgres can see it? -- Angular momentum makes the world go 'round.
Greetings, * Ron (ronljohnsonjr@gmail.com) wrote: > Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633 > perms. Normally, that's ok, but is a horrible idea when it's a plaintext > file, and stores the pgbackrest encryption password. > > Would pgbackrest (or something else) break if I change it to > postgres:postgres 600 perms? As long as it can be read by the user performing backups/restores and archive-push/archive-get, it should be fine. > Is there a better way of hiding the password so that only user postgres can > see it? This is a bit like asking how to 'hide' the encrypted private key for SSL/TLS. Anywhere you hide it, if you want things to actually work in an automated fashion, is also going to need to be available all the time.. In particular, archive-push gets run a lot and you don't want that to fail or to wait for someone to provide an encryption key. Thanks, Stephen
Attachment
On 5/19/21 1:49 PM, Ron wrote: > > Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and > 633 perms. Normally, that's ok, but is a horrible idea when it's a > plaintext file, and stores the pgbackrest encryption password. > > Would pgbackrest (or something else) break if I change it to > postgres:postgres 600 perms? Nothing will break as far as I know. As long as pgbackrest can read the file it will be happy. > Is there a better way of hiding the password so that only user postgres > can see it? You could use an environment variable in postgres' environment, see https://pgbackrest.org/command.html#introduction. In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx Regards, -- -David david@pgmasters.net
On 5/19/21 1:33 PM, Stephen Frost wrote: > Greetings, > > * Ron (ronljohnsonjr@gmail.com) wrote: >> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633 >> perms. Normally, that's ok, but is a horrible idea when it's a plaintext >> file, and stores the pgbackrest encryption password. >> >> Would pgbackrest (or something else) break if I change it to >> postgres:postgres 600 perms? > As long as it can be read by the user performing backups/restores and > archive-push/archive-get, it should be fine. > >> Is there a better way of hiding the password so that only user postgres can >> see it? > This is a bit like asking how to 'hide' the encrypted private key for > SSL/TLS. Anywhere you hide it, if you want things to actually work in > an automated fashion, is also going to need to be available all the > time.. In particular, archive-push gets run a lot and you don't want > that to fail or to wait for someone to provide an encryption key. That's what I figured. Thanks. -- Angular momentum makes the world go 'round.
On 5/19/21 1:34 PM, David Steele wrote: > On 5/19/21 1:49 PM, Ron wrote: >> >> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and >> 633 perms. Normally, that's ok, but is a horrible idea when it's a >> plaintext file, and stores the pgbackrest encryption password. >> >> Would pgbackrest (or something else) break if I change it to >> postgres:postgres 600 perms? > > Nothing will break as far as I know. As long as pgbackrest can read the > file it will be happy. > >> Is there a better way of hiding the password so that only user postgres >> can see it? > > You could use an environment variable in postgres' environment, see > https://pgbackrest.org/command.html#introduction. > > In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx Similarly there's PGBACKREST_REPO1_CIPHER_TYPE? -- Angular momentum makes the world go 'round.
On 5/19/21 1:34 PM, David Steele wrote: > On 5/19/21 1:49 PM, Ron wrote: >> >> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and >> 633 perms. Normally, that's ok, but is a horrible idea when it's a >> plaintext file, and stores the pgbackrest encryption password. >> >> Would pgbackrest (or something else) break if I change it to >> postgres:postgres 600 perms? > > Nothing will break as far as I know. As long as pgbackrest can read the > file it will be happy. > >> Is there a better way of hiding the password so that only user postgres >> can see it? > > You could use an environment variable in postgres' environment, see > https://pgbackrest.org/command.html#introduction. > > In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx > > Regards, That worked after I exported the environment variables. -- Angular momentum makes the world go 'round.
On 5/19/21 2:48 PM, Ron wrote: > On 5/19/21 1:34 PM, David Steele wrote: >> On 5/19/21 1:49 PM, Ron wrote: >>> >>> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root >>> and 633 perms. Normally, that's ok, but is a horrible idea when it's >>> a plaintext file, and stores the pgbackrest encryption password. >>> >>> Would pgbackrest (or something else) break if I change it to >>> postgres:postgres 600 perms? >> >> Nothing will break as far as I know. As long as pgbackrest can read >> the file it will be happy. >> >>> Is there a better way of hiding the password so that only user >>> postgres can see it? >> >> You could use an environment variable in postgres' environment, see >> https://pgbackrest.org/command.html#introduction. >> >> In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx > > Similarly there's PGBACKREST_REPO1_CIPHER_TYPE? All options can be set through the environment. See the link for details. Regards, -- -David david@pgmasters.net
On 2021-05-19 12:49:42 -0500, Ron wrote:
> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633
> perms.
Did you mean 644? 633 would be very strange permissions (write and
execute but not read for group and others).
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
Attachment
On 5/22/21 5:52 AM, Peter J. Holzer wrote: > On 2021-05-19 12:49:42 -0500, Ron wrote: >> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633 >> perms. > Did you mean 644? 633 would be very strange permissions (write and > execute but not read for group and others). Yes, I noticed that later. :) -- Angular momentum makes the world go 'round.