Hi, A possible countermeasure on Windows platform, inspired by Magnus.Thanks ;) First we remove the passphrase from the key file, making it plain. Windows provides a feature "encrypted file system", provide transparent encryption/decryption. We can log on using the account we run Postgres with and encrypt the plaintext key file. Then we logon using another non-amin account, and start postgres using "runas" service. Therefore the file is encrypted, only the Postgres acount and the recovery agent(built-in administrator by default) can read/modify it. The file will remain encrypted when restored from backup. I've tested it on my computer and it works.
cheers, Changyu --- dong changyu <[EMAIL PROTECTED]> wrote: > Hi, > I¡¯m using postgreSQL with SSL these days. The > version > I¡¯m using is 8.0.3. I found that it¡¯s impossible > to > use an encrypted key file. > When you use a protected server.key file, you will > be > prompted to input your passphrase EVERYTIME IT¡¯S > USED, not only when you start the server but also > when > a client makes a connection. So you have to leave > the > key file un-protected. I think it¡¯s a serious > vulnerability since the security relies on the > secrecy > of the private key. Without encryption, the only > thing > we can use to protect the private key is the access > control mechanism provided by the OS. > Any comments on this issue? > > cheers, > Changyu > > > > > __________________________________ > Discover Yahoo! > Have fun online with music videos, cool games, IM > and more. Check it out! > http://discover.yahoo.com/online.html > > ---------------------------(end of > broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org > __________________________________ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
