Re: Have an encrypted pgpass file

On Thu, Jul 19, 2018 at 5:46 AM, Marco van Eck <marco(dot)vaneck(at)gmail(dot)com> wrote:
> Since .pgpass files contain plain-text passwords, I searched for an
> alternative.
> In the attached patch I've added the possibility to run a command to produce
> the content of the pgpass file, in exactly the same format. In this way I
> could use gpg or any other command to decrypt a pgpass file. It will prefer
> the .pgpass file and will not call the command.
>
> This would be my environment variable, to have no plain-text password:
> PGPASSCOMMAND="gpg -q -d pgpass.gpg"
>
> Other usages of the variable:
> PGPASSCOMMAND="cat pgpass"
> PGPASSCOMMAND="curl http://passwords/really-unsecure-pgpass"
> PGPASSCOMMAND="my-own-secure-pgpass-script"

Hi Marco

I've heard requests for encrypted .pgpass files before, and I've
always been a bit confused about how an unattended system is supposed
to decrypt them. If the key is in the configuration file or local
filesystem, it feels like you haven't really added much security over
a plaintext password, since an attacker who can steal the .pgpass file
can steal those things too.

There are other database systems out there where passwords are held in
an encrypted form but with only a small amount of digging on the
internet you can find out how to decrypt them. Seems a bit bogus, at
first glance anyway.

Here you side step those questions completely and make that the end
user's problem. I like it.

--
Thomas Munro
http://www.enterprisedb.com