On 02/21/2014 11:52 PM, Christopher Browne wrote:
> The thing you could do instead that would *look* like it is encrypted is
> to use a certificate (e.g. - SSL).  The certificate that you'd need to
> put on the client still needs to be in something that is effectively
> plain text (however much it looks like nonsensical encrypted text).

Yep, though the certificate private key may well be stored encrypted
with a passphrase that must be entered via direct user interaction.

It looks like doing it with OpenSSL for libpq you might be able to set a
passphrase callback routine to prompt the user to decrypt a client
certificate. With PgJDBC you use JSSE's keystore support.

Client certificates are a *much* stronger way to do this. Another good
option can be Kerberos. Either way, encrypting .pgpass seems utterly

 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to