pgbackrest - hiding the encryption password

Greetings,

* Ron (ronljohnsonjr@gmail.com) wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633
perms.  Normally, that's ok, but is a horrible idea when it's a plaintext
file, and stores the pgbackrest encryption password.

Would pgbackrest (or something else) break if I change it to
postgres:postgres 600 perms?

As long as it can be read by the user performing backups/restores and
archive-push/archive-get, it should be fine.

Is there a better way of hiding the password so that only user postgres can
see it?

This is a bit like asking how to 'hide' the encrypted private key for
SSL/TLS. Anywhere you hide it, if you want things to actually work in
an automated fashion, is also going to need to be available all the
time.. In particular, archive-push gets run a lot and you don't want
that to fail or to wait for someone to provide an encryption key.

Thanks,

Stephen

On 5/19/21 1:49 PM, Ron wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and
633 perms.  Normally, that's ok, but is a horrible idea when it's a
plaintext file, and stores the pgbackrest encryption password.

Would pgbackrest (or something else) break if I change it to
postgres:postgres 600 perms?

Nothing will break as far as I know. As long as pgbackrest can read the
file it will be happy.

Is there a better way of hiding the password so that only user postgres
can see it?

You could use an environment variable in postgres' environment, see
https://pgbackrest.org/command.html#introduction.

In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx

Regards,
--
-David
david@pgmasters.net

On 5/19/21 1:33 PM, Stephen Frost wrote:

Greetings,

* Ron (ronljohnsonjr@gmail.com) wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633
perms.  Normally, that's ok, but is a horrible idea when it's a plaintext
file, and stores the pgbackrest encryption password.

Would pgbackrest (or something else) break if I change it to
postgres:postgres 600 perms?

As long as it can be read by the user performing backups/restores and
archive-push/archive-get, it should be fine.

Is there a better way of hiding the password so that only user postgres can
see it?

This is a bit like asking how to 'hide' the encrypted private key for
SSL/TLS. Anywhere you hide it, if you want things to actually work in
an automated fashion, is also going to need to be available all the
time.. In particular, archive-push gets run a lot and you don't want
that to fail or to wait for someone to provide an encryption key.

That's what I figured.  Thanks.

--
Angular momentum makes the world go 'round.

On 5/19/21 1:34 PM, David Steele wrote:

On 5/19/21 1:49 PM, Ron wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and
633 perms.  Normally, that's ok, but is a horrible idea when it's a
plaintext file, and stores the pgbackrest encryption password.

Would pgbackrest (or something else) break if I change it to
postgres:postgres 600 perms?

Nothing will break as far as I know. As long as pgbackrest can read the
file it will be happy.

Is there a better way of hiding the password so that only user postgres
can see it?

You could use an environment variable in postgres' environment, see
https://pgbackrest.org/command.html#introduction.

In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx

Similarly there's PGBACKREST_REPO1_CIPHER_TYPE?

--
Angular momentum makes the world go 'round.

On 5/19/21 1:34 PM, David Steele wrote:

On 5/19/21 1:49 PM, Ron wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and
633 perms.  Normally, that's ok, but is a horrible idea when it's a
plaintext file, and stores the pgbackrest encryption password.

Would pgbackrest (or something else) break if I change it to
postgres:postgres 600 perms?

Nothing will break as far as I know. As long as pgbackrest can read the
file it will be happy.

Is there a better way of hiding the password so that only user postgres
can see it?

You could use an environment variable in postgres' environment, see
https://pgbackrest.org/command.html#introduction.

In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx

Regards,

That worked after I exported the environment variables.

--
Angular momentum makes the world go 'round.

On 5/19/21 2:48 PM, Ron wrote:

On 5/19/21 1:34 PM, David Steele wrote:

On 5/19/21 1:49 PM, Ron wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root
and 633 perms.  Normally, that's ok, but is a horrible idea when it's
a plaintext file, and stores the pgbackrest encryption password.

Would pgbackrest (or something else) break if I change it to
postgres:postgres 600 perms?

Nothing will break as far as I know. As long as pgbackrest can read
the file it will be happy.

Is there a better way of hiding the password so that only user
postgres can see it?

You could use an environment variable in postgres' environment, see
https://pgbackrest.org/command.html#introduction.

In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx

Similarly there's PGBACKREST_REPO1_CIPHER_TYPE?

All options can be set through the environment. See the link for details.

Regards,
--
-David
david@pgmasters.net

On 2021-05-19 12:49:42 -0500, Ron wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633
perms.

Did you mean 644? 633 would be very strange permissions (write and
execute but not read for group and others).

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

On 5/22/21 5:52 AM, Peter J. Holzer wrote:

On 2021-05-19 12:49:42 -0500, Ron wrote:

Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633
perms.

Did you mean 644? 633 would be very strange permissions (write and
execute but not read for group and others).

Yes, I noticed that later. :)

--
Angular momentum makes the world go 'round.