On Wed, Oct 16, 2024 at 2:25 PM <mbork@xxxxxxxx> wrote: > I'd like to be able to use psql without typing passwords again and > again. I know about `.pgpass` and PGPASSFILE, but I specifically do not > want to use it - I have the password in the `.env` file, and having it > in _two_ places comes with its own set of problems, like how to make > sure they don't get out of sync. What's wrong with PGPASSWORD? https://www.postgresql.org/docs/current/libpq-envars.html > I understand why giving the password on the command line or in an > environment variable is a security risk (because of `ps`), but I do not > understand why `psql` doesn't have an option like `--password-command` > accepting a command which then prints the password on stdout. For > example, I could then use `pass` (https://www.passwordstore.org/) with > gpg-agent. It's not psql, it's libpq, that does that, FTR. My own apps are libpq based, and inherit all its env-vars and defaults. But I'd welcome a way to store password encrypted, unlike the current mechanisms. And what you propose would allow that I guess, if I understand correctly. So +1. (and since transient better than enrypted/obfuscated passwords) > Is there any risk associated with this usage pattern? What is the > recommended practice in my case other than using `.pgpass`? Storing password in plain text? --DD
