On 02/21/2014 11:52 PM, Christopher Browne wrote: > > The thing you could do instead that would *look* like it is encrypted is > to use a certificate (e.g. - SSL). The certificate that you'd need to > put on the client still needs to be in something that is effectively > plain text (however much it looks like nonsensical encrypted text).
Yep, though the certificate private key may well be stored encrypted with a passphrase that must be entered via direct user interaction. It looks like doing it with OpenSSL for libpq you might be able to set a passphrase callback routine to prompt the user to decrypt a client certificate. With PgJDBC you use JSSE's keystore support. Client certificates are a *much* stronger way to do this. Another good option can be Kerberos. Either way, encrypting .pgpass seems utterly pointless. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
