On Wed, Jan 4, 2017 at 11:49 AM, Stephen Frost <sfr...@snowman.net> wrote: >> systemd has support for getting passwords to services without tty. > > Oh, that's interesting, I wasn't aware of that. > >> So if someone is interested, there is some room for enhancement here. > > Agreed.
The first thing that pops into my head is that we could add a GUC ssl_cert_passphrase_command whose contents get executed as a shell command when we need a passphrase; that program is expected to emit the passphrase and nothing else on standard output and then exit(0). Blah blah logging blah blah failure handling. That's not trivial to implement if you want the postmaster to still be responsive while the command is running, but I think it could be done. (I'm not volunteering.) Of course, if there's some sort of commonly-used library out there for this sort of thing where we can just link against it and call whatever APIs it exposes, that might be a better alternative, or something to support in addition, but I don't really know whether there's any standardization in this area. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers