Greetings, * Ron (ronljohnsonjr@xxxxxxxxx) wrote: > Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633 > perms. Normally, that's ok, but is a horrible idea when it's a plaintext > file, and stores the pgbackrest encryption password. > > Would pgbackrest (or something else) break if I change it to > postgres:postgres 600 perms? As long as it can be read by the user performing backups/restores and archive-push/archive-get, it should be fine. > Is there a better way of hiding the password so that only user postgres can > see it? This is a bit like asking how to 'hide' the encrypted private key for SSL/TLS. Anywhere you hide it, if you want things to actually work in an automated fashion, is also going to need to be available all the time.. In particular, archive-push gets run a lot and you don't want that to fail or to wait for someone to provide an encryption key. Thanks, Stephen
Attachment:
signature.asc
Description: PGP signature
