Re: WIP: Data at rest encryption

Peter,

* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> On 6/13/17 18:11, Stephen Frost wrote:
> >> Let's see a proposal in those terms then. How easy can you make it,
> >> compared to existing OS-level solutions, and will that justify the
> >> maintenance overhead?
> > From the original post on this thread, which included a WIP patch:
> >
> > ----------------------------------
> > Usage
> > =====
> >
> > Set up database like so:
> >
> > (read -sp "Postgres passphrase: " PGENCRYPTIONKEY; echo;
> > export PGENCRYPTIONKEY
> > initdb -k -K pgcrypto $PGDATA )
> >
> > Start PostgreSQL:
> >
> > (read -sp "Postgres passphrase: " PGENCRYPTIONKEY; echo;
> > export PGENCRYPTIONKEY
> > postgres $PGDATA )
> > ----------------------------------
>
> Relying on environment variables is clearly pretty crappy. So if that's
> the proposal, then I think it needs to be better.

I don't believe that was ever intended to be the final solution, I was
just pointing out that it's what the WIP patch did.

The discussion had moved into having a command called which provided the
key on stdout, as I recall, allowing it to be whatever the user wished,
including binary of any kind.

If you have other suggestions, I'm sure they would be well received. As
to the question of complexity, it certainly looks like it'll probably be
quite straight-forward for users to use.

Thanks!

Stephen