On Sun, Feb 19, 2017 at 1:43 PM, Michael Paquier <michael.paqu...@gmail.com>

> On Sun, Feb 19, 2017 at 8:03 PM, Magnus Hagander <mag...@hagander.net>
> wrote:
> > If password auth is used, we have to store the password in plaintext
> > equivalent somewhere. Meaning it's by definition going to be exposed to
> > superusers and replication downstreams.
> Another possibility is to mention the use of the new passfile
> parameter for connection strings in the docs... This removes the need
> to have plain passwords directly stored in the database. Not sure if
> that's better though because that still mean that the password is
> present in plain format somewhere.

That might definitely be a help, because it would be stored out of band.
But it also comes with a caveat in that when it's stored outside, it's not
included in replication (physical HA replication) so you need to maintain
it across all nodes or Bad Things can happen.

And yes, whatever you do, if you want to the system to be able to
automatically start/restart, you have to keep the password in cleartext
equivalent *somewhere*. There's no way around that.

> > Or are you suggesting a scheme
> > whereby you have to enter all your subscription passwords in a prompt of
> > some kind when starting the postmaster, to avoid it?
> Thinking about that now we could have a connection string parameter
> called for example password_command, that could be used for example
> with gpg2 to get back a decrypted password value.
We could, but we don't really have a good way to interface with that. When
the server is started with says systemd, how and where are you going to
prompt the user for the gpg passphrase? It's not like there is a console
available to pop the question up on.

It's the same basic issue as with password protected SSL certificates -
which is why people end up deploying their servers with an unprotected key.
For all services.

 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Reply via email to