On Wed, Oct 28, 2020 at 12:02:46PM +0800, Craig Ringer wrote: > On Wed, Oct 28, 2020 at 9:43 AM Bruce Momjian <br...@momjian.us> wrote: > I have used OpenSSL with Yubikey via pksc11. You > can see the use of it on slide 57 and following: > > https://momjian.us/main/writings/crypto_hw_config.pdf#page=57 > > Interestingly, that still needed the user to type in a key to unlock the > Yubikey, so we might need PKCS11 and a password for the same server > start. > > Yes, that's possible. But in that case the passphrase will be asked for by > openssl only when required, and we'll need to supply an openssl askpass hook.
What we _will_ need is access to a /dev/tty file descriptor, and this patch does that, though it closes it as soon as the internal keys are unlocked so the terminal can be disconnected from the database processes. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
