* Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > On 1/4/17 10:57 AM, Tom Lane wrote: > > I still maintain that the existing solution for passphrases is useless, > > but in the interest of removing objections to the current patch, I'll > > go make that happen. > > Sounds good.
Agreed, thanks. > Looking around briefly (e.g., Apache, nginx), the standard approach > appears to be a configuration setting that gets the password from an > external program or file. (Although the default still appears to be to > get from tty.) Right, the MIT Kerberos daemon will definitely prompt for the passphrase for the master key on the terminal also. They might also have a way to get it from a program now, not sure, it's been a while, but it was a requirement from NIST 800-53 to not have unencrypted keys on the filesystem and I had to address that for the MIT Kerberos master key and the private keys for various SSL-using services. > systemd has support for getting passwords to services without tty. Oh, that's interesting, I wasn't aware of that. > So if someone is interested, there is some room for enhancement here. Agreed. Thanks! Stephen
Description: Digital signature