On Wed, Feb 24, 2021 at 11:27:45AM +1100, Tim Cross <theophilusx@xxxxxxxxx> wrote: > Vipin Madhusoodanan <vipin.madhusoodanan@xxxxxxxxx> writes: > > > Hi Team, > > > > We have a security requirement to encrypt passwords in .pgpass file. Could you please advise on the options and steps to be followed to achieve this. > > > > Basically, don't use .pgpass. I think .pgpass should be viewed as old > legacy solution which is not terribly compatible with today's security > requirements. I don't think there is support for encrypting the .pgpass > file. Even if you could encrypt the .pgpass file, you would then need to > decrypt it with a passpharase anyway (you could have a key which has no > passpharase, but if that is on the same system, what have you achieved > apart from a false sense of security). > > How to best solve your requirement depends on the specifics of your > requirement. However, often you can implement something more secure by > using environment variables which are set for the process the psql (or > whatever) command executes in. The value for the variable can be > obtained from a secure source, such as a keyring, ldap server, gpg > encrypted file etc. Sometimes, the security requirements are for encryption-at-rest, and it doesn't particularly matter if encryption-at-rest is actually secure against likely threats (sadly). For example, you could use file system encryption (e.g. ecryptfs/LUKS/Linux, FileVault/macOS, BitLocker/Windows). Then all of your files are encrypted at rest, including .pgpass. But it's only secure when the computer is powered down (i.e. if it is physically stolen, or the disk is physically removed). It provides no security for a computer that is up and running, and compromised. But that might satisfy the parties that make up the requirements. It all depends on the threat model that they need to address. So it can be easy to do, but does it satisfy your requirements? If so, encrypt the file system (and know that it isn't secure). If not, maybe Hashicorp's Vault product, or clevis and tang, could be used to store passwords instead of putting them in a .pgpass file. cheers, raf
