Participants
JP Jacoupy
JP Jacoupy
Adrian Klaver
Adrian Klaver
Francisco Olarte
Francisco Olarte
Attachments
Show all attachments
Thread Outline
#1JP JacoupyJP Jacoupy
Feb 16, 2017
#2Adrian KlaverAdrian Klaverto JP Jacoupy (#1)
Feb 16, 2017
#3Francisco OlarteFrancisco Olarteto JP Jacoupy (#1)
Feb 16, 2017

Service configuration file and password security

Started by JP Jacoupyabout 9 years ago3 messagesgeneral
Jump to latest
#1JP Jacoupy
JP Jacoupy
jpjacoupy@protonmail.com

Hello,

This might seem a pretty novice question but I can't find an answer.

Can the password be stored in an encrypted way inside a service configuration file?

--
Jacoupy Jean-Philippe

Sent from [ProtonMail](https://protonmail.ch), encrypted email based in Switzerland.

#2Adrian Klaver
Adrian Klaver
adrian.klaver@aklaver.com
In reply to: JP Jacoupy (#1)
Re: Service configuration file and password security

On 02/16/2017 05:57 AM, JP Jacoupy wrote:

Hello,

This might seem a pretty novice question but I can't find an answer.

Can the password be stored in an encrypted way inside a service
configuration file?

To be clear you are talking about this, correct?:

https://www.postgresql.org/docs/9.6/static/libpq-pgservice.html

If so then no as I understand it. Assuming you have password
authentication set up to md5, libpq takes care of doing the md5-hash
before sending it to the server. You do have the following options:

1) https://www.postgresql.org/docs/9.6/static/libpq-pgpass.html

2) https://www.postgresql.org/docs/9.6/static/libpq-envars.html

PGPASSWORD behaves the same as the password connection parameter. Use of
this environment variable is not recommended for security reasons, as
some operating systems allow non-root users to see process environment
variables via ps; instead consider using the ~/.pgpass file (see Section
32.15).

PGPASSFILE specifies the name of the password file to use for lookups.
If not set, it defaults to ~/.pgpass (see Section 32.15).

2) And coming in version 10:
http://paquier.xyz/postgresql-2/postgres-10-pgpassfile-connection/

--
Jacoupy Jean-Philippe

Sent from ProtonMail <https://protonmail.ch&gt;, encrypted email based in
Switzerland.

--
Adrian Klaver
adrian.klaver@aklaver.com

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#3Francisco Olarte
Francisco Olarte
folarte@peoplecall.com
In reply to: JP Jacoupy (#1)
Re: Service configuration file and password security

On Thu, Feb 16, 2017 at 2:57 PM, JP Jacoupy <jpjacoupy@protonmail.com> wrote:

Can the password be stored in an encrypted way inside a service
configuration file?

There is not

Passwords are not stored in the ( sometimes shared, world readable )
service configuration file ( pg_sevice), but it the UNREADABLE FOR
OTHERS password file. They need to be stored in a way which libpq and
friends can use, so even if they were encrypted they could be
extracted easily byjust debugging and setting a breakpoint in it.

If you are looking at something like a password store with a master
password at least in unix a user account with a .pgpass file works as
it. You store every password in file readable by a user, .pgpass, and
you use that user login credentials to get access to it.

Francisco Olarte.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

← Back to Topics