On 6/12/16 3:13 AM, Ants Aasma wrote:
5. Instead of providing passphrase through environmental variable,
> better to provide some options to pg_ctl etc.
That looks like it would be worse from a security perspective.
Integrating a passphrase prompt would be an option, but a way for
scripts to provide passphrases would still be needed.


Environment variables and command-line options are visible to other processes on the machine, so neither of these approaches is really going to work. We would need some kind of integration with secure password-entry mechanisms, such as pinentry.

Also note that all tools that work directly on the data directory would need password-entry and encryption/decryption support, including pg_basebackup, pg_controldata, pg_ctl, pg_receivexlog, pg_resetxlog, pg_rewind, pg_upgrade, pg_xlogdump.

It seems that your implementation doesn't encrypt pg_control, thus avoiding some of that. But that doesn't seem right.

--
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to