On 2020-Jun-23, Tim Cross wrote: > If you need to use a password in a command line scenario (i.e. with a > script), then one way to get around the issue of not storing plain text > passwords is to use GPG. The basic model is > > - Create a GPG key and store it in a secure place, such as a keystore > - Use that GPG key to encrypt your password in a file e.g. my-secret.gpg > - In your script, you can have something like > > PWD = `gpg -q --for-your-eyes-only --no-tty -d ~/.secure/my-secret.gpg` Perhaps the way to implement this is to have .pgpass be a named pipe, and you have a program that produces lines from encrypted input after requesting a passphrase from the user -- perhaps using gpg underneath. I have vague recollections of this being discussed in the past. For example, see this thread from 2013 https://www.postgresql.org/message-id/CAAZKuFaJUfdDFp1_vGHbDfYRu0Sj6mSOVvKRp87aCQ53ov6iwA@xxxxxxxxxxxxxx -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
