| From: | Christopher Browne <cbbrowne(at)gmail(dot)com> |
|---|---|
| To: | firoz e v <firoz(dot)ev(at)huawei(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Storing the password in .pgpass file in an encrypted format |
| Date: | 2014-02-21 15:52:06 |
| Message-ID: | CAFNqd5Uub38TAXbE6NnzxdF3Jp_QvTwgh3x8+=xZJ9rWowjzxA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Feb 21, 2014 at 7:49 AM, firoz e v <firoz(dot)ev(at)huawei(dot)com> wrote:
> Hi,
>
>
>
> Is there a way to store the password in ".pgpass" file in an encrypted
> format (for example, to be used by pg_dump).
>
>
>
> Even though, there are ways to set the permissions on .pgpass, to disallow
> any access to world or group, the security rules of many organizations
> disallow to hold any kind of passwords, as plain text.
>
>
>
> If there is no existing way to do this, shall we take up this, as a patch?
>
As observed by others, storing the password in encrypted form in .pgpass
merely means that you need to store the password to decrypt .pgpass in
still another file that would, again, run afoul of such security policies.
There is no appetite in the community to do implementation work that is
provably useless as it cannot accomplish what people imagine to accomplish.
The thing you could do instead that would *look* like it is encrypted is to
use a certificate (e.g. - SSL). The certificate that you'd need to put on
the client still needs to be in something that is effectively plain text
(however much it looks like nonsensical encrypted text).
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Florian Pflug | 2014-02-21 16:04:04 | Re: Uninterruptable regexp_replace in 9.3.1 ? |
| Previous Message | Craig Ringer | 2014-02-21 15:46:45 | Re: Uninterruptable regexp_replace in 9.3.1 ? |