On Tue, Jun 23, 2020 at 3:53 AM Alvaro Herrera <alvherre@xxxxxxxxxxxxxxx> wrote:
On 2020-Jun-23, Tim Cross wrote:
> If you need to use a password in a command line scenario (i.e. with a
> script), then one way to get around the issue of not storing plain text
> passwords is to use GPG. The basic model is
>
> - Create a GPG key and store it in a secure place, such as a keystore
> - Use that GPG key to encrypt your password in a file e.g. my-secret.gpg
> - In your script, you can have something like
>
> PWD = `gpg -q --for-your-eyes-only --no-tty -d ~/.secure/my-secret.gpg`
Perhaps the way to implement this is to have .pgpass be a named pipe,
and you have a program that produces lines from encrypted input after
requesting a passphrase from the user -- perhaps using gpg underneath.
I have vague recollections of this being discussed in the past.
For example, see this thread from 2013
https://www.postgresql.org/message-id/CAAZKuFaJUfdDFp1_vGHbDfYRu0Sj6mSOVvKRp87aCQ53ov6iwA@xxxxxxxxxxxxxx
libpq in 13 adds PQsetSSLKeyPassHook_*() which allows a low level interface for doing this for SSL. There is no fundamental reason not to have a similar hook for regular passwords, to begin with. Then on top of that we could provide built-in hooks and a way to activate them to use for example a named pipe, calling a shell, reading from terminal etc -- but then to make it possible to re-use that for both passwords and passphrases and possibly more.
