On 2024-10-16, at 14:41, Dominique Devienne <ddevienne@xxxxxxxxx> wrote: > On Wed, Oct 16, 2024 at 2:25 PM <mbork@xxxxxxxx> wrote: >> I'd like to be able to use psql without typing passwords again and >> again. I know about `.pgpass` and PGPASSFILE, but I specifically do not >> want to use it - I have the password in the `.env` file, and having it >> in _two_ places comes with its own set of problems, like how to make >> sure they don't get out of sync. > > What's wrong with PGPASSWORD? > https://www.postgresql.org/docs/current/libpq-envars.html `ps auxe` shows all processes with their environments, no? >> I understand why giving the password on the command line or in an >> environment variable is a security risk (because of `ps`), but I do not >> understand why `psql` doesn't have an option like `--password-command` >> accepting a command which then prints the password on stdout. For >> example, I could then use `pass` (https://www.passwordstore.org/) with >> gpg-agent. > > It's not psql, it's libpq, that does that, FTR. Good point, thanks. > My own apps are libpq based, and inherit all its env-vars and defaults. > > But I'd welcome a way to store password encrypted, > unlike the current mechanisms. And what you propose > would allow that I guess, if I understand correctly. So +1. > (and since transient better than enrypted/obfuscated passwords) > >> Is there any risk associated with this usage pattern? What is the >> recommended practice in my case other than using `.pgpass`? > > Storing password in plain text? --DD You have to store it somewhere on the server where your application (which connects to the database) lives anyway, right? I see no significant difference wrt security between .env and .pgpass. (Though I'm far from a security expert.) Best, -- Marcin Borkowski https://mbork.pl https://crimsonelevendelightpetrichor.net/
