| From: | "Little, Doug" <doug(dot)little(at)hp(dot)com> |
|---|---|
| To: | "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | hiding encrypt/decrypt password |
| Date: | 2014-01-15 18:49:14 |
| Message-ID: | 2A0F9DB3D5FA2F46A7325B922D7AF2D6C172CB@G6W2487.americas.hpqcorp.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
hi,
my customer wants to use a fixed password for the pgcrypto pgp_sym_encrypt/decrypt functions.
The pgp function calls will be isolated to a custom function for decrypt and 3 encrypt functions (text, date, timestamp signatures).
there is a separate function to return is a user is authorized to decrypt so don't worry about that part.
all registered users (not public) will be able to execute the decrypt function.
any suggestions about how to hide the password?
I've thought of
1. external function. external functions call compiled code, so you only see the function call, not the content. external functions need to be coded in 'c'. I don't have the experience to implement. couldn't users execute the function directly and get the decrypted password?
2. python function that opens an OS session. once the session is started, it can interact with the OS and use the openSSL function to decrypt the password stored in an os file. the decrypt password could be stored in a different os file. Same issue, can't users execute function and get the password?
Thanks in advance for your thoughts?
Doug Little
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ahmed Bessifi | 2014-01-16 08:53:39 | incorrect pgbench results when postgres fails |
| Previous Message | Miu, Monica | 2014-01-14 23:40:45 | please delete my name from the list |