raf <raf@xxxxxxx> writes: > On Wed, Feb 24, 2021 at 11:27:45AM +1100, Tim Cross <theophilusx@xxxxxxxxx> wrote: > >> Vipin Madhusoodanan <vipin.madhusoodanan@xxxxxxxxx> writes: >> >> > Hi Team, >> > >> > We have a security requirement to encrypt passwords in .pgpass file. Could you please advise on the options and steps to be followed to achieve this. >> > >> >> Basically, don't use .pgpass. I think .pgpass should be viewed as old >> legacy solution which is not terribly compatible with today's security >> requirements. I don't think there is support for encrypting the .pgpass >> file. Even if you could encrypt the .pgpass file, you would then need to >> decrypt it with a passpharase anyway (you could have a key which has no >> passpharase, but if that is on the same system, what have you achieved >> apart from a false sense of security). >> >> How to best solve your requirement depends on the specifics of your >> requirement. However, often you can implement something more secure by >> using environment variables which are set for the process the psql (or >> whatever) command executes in. The value for the variable can be >> obtained from a secure source, such as a keyring, ldap server, gpg >> encrypted file etc. > > Sometimes, the security requirements are for > encryption-at-rest, and it doesn't particularly matter > if encryption-at-rest is actually secure against likely > threats (sadly). > > For example, you could use file system encryption (e.g. > ecryptfs/LUKS/Linux, FileVault/macOS, > BitLocker/Windows). Then all of your files are > encrypted at rest, including .pgpass. > Yep, exactly why I said it depends on the specifics of your requirements. The sad truth is there are some really poor 'security experts' out there and a lot of snake oil sellers making ridiculous sums of money for providing poor advice. Often, it is just a box ticking exercise that does little to improve, sometimes even weakens, security. My guess with this one is it is probably something like "No passwords will be stored as plain text" or even worse, all passwords must be encrypted, which is funny when you think most passwords are not envrypted, but instead stored as 1-way hashes. -- Tim Cross
