| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Jose Berardo <joseberardo(at)gmail(dot)com> |
| Cc: | Martin Münstermann <mmuenst(at)gmx(dot)de>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL with SSL |
| Date: | 2010-04-15 21:30:15 |
| Message-ID: | 24692.1271367015@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Jose Berardo <joseberardo(at)gmail(dot)com> writes:
>>> - Is it possible to store the server.key in a ciphered file with
>> No.
> I believe that it may be a good idea, it may bring another security level,
Not really.
> Just saving the private key file inside the cluster with no privilegies for
> other users (the server suggests 0600 mask for it) is still sufficient to
> protected the key?
If someone can access that file, they can also attach to the running
server process and pull the decrypted key out of it. In any case,
providing the server with the key to decrypt the ssl key is not going
to be convenient in operation. You're not going to want to store that
key on disk are you? Do you want somebody around to manually provide
it every time the server restarts? That gets old pretty fast, when
all it's buying you is a largely-imaginary security gain.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Frederiko Costa | 2010-04-15 21:33:12 | Wal Segment files Backup Strategy for archiving |
| Previous Message | Jose Berardo | 2010-04-15 21:22:10 | Re: PostgreSQL with SSL |