Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t16vf-00EmUD-RH for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 16:31:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1t16vd-005kiF-V8 for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 16:31:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t16hv-005WIo-O2 for pgsql-general@lists.postgresql.org; Wed, 16 Oct 2024 16:17:08 +0000 Received: from mail.mojserwer.eu ([195.110.48.8]) by makus.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1t16ht-001CpP-0w for pgsql-general@postgresql.org; Wed, 16 Oct 2024 16:17:06 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.mojserwer.eu (Postfix) with ESMTP id 1EB802271594; Wed, 16 Oct 2024 18:17:02 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mail.mojserwer.eu Received: from mail.mojserwer.eu ([127.0.0.1]) by localhost (mail.mojserwer.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PU-ySTTO9WHC; Wed, 16 Oct 2024 18:16:58 +0200 (CEST) Received: from localhost (unknown [89.151.23.235]) by mail.mojserwer.eu (Postfix) with ESMTPSA id ADACA18CB427; Wed, 16 Oct 2024 18:16:58 +0200 (CEST) From: mbork@mbork.pl To: Dominique Devienne Cc: pgsql-general@postgresql.org Subject: Re: What are best practices wrt passwords? In-Reply-To: (Dominique Devienne's message of "Wed, 16 Oct 2024 14:41:47 +0200") References: <87o73kgzkd.fsf@mbork.pl> Date: Wed, 16 Oct 2024 18:16:57 +0200 Message-ID: <87frowggzq.fsf@mbork.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2024-10-16, at 14:41, Dominique Devienne wrote: > On Wed, Oct 16, 2024 at 2:25=E2=80=AFPM wrote: >> I'd like to be able to use psql without typing passwords again and >> again. I know about `.pgpass` and PGPASSFILE, but I specifically do not >> want to use it - I have the password in the `.env` file, and having it >> in _two_ places comes with its own set of problems, like how to make >> sure they don't get out of sync. > > What's wrong with PGPASSWORD? > https://www.postgresql.org/docs/current/libpq-envars.html `ps auxe` shows all processes with their environments, no? >> I understand why giving the password on the command line or in an >> environment variable is a security risk (because of `ps`), but I do not >> understand why `psql` doesn't have an option like `--password-command` >> accepting a command which then prints the password on stdout. For >> example, I could then use `pass` (https://www.passwordstore.org/) with >> gpg-agent. > > It's not psql, it's libpq, that does that, FTR. Good point, thanks. > My own apps are libpq based, and inherit all its env-vars and defaults. > > But I'd welcome a way to store password encrypted, > unlike the current mechanisms. And what you propose > would allow that I guess, if I understand correctly. So +1. > (and since transient better than enrypted/obfuscated passwords) > >> Is there any risk associated with this usage pattern? What is the >> recommended practice in my case other than using `.pgpass`? > > Storing password in plain text? --DD You have to store it somewhere on the server where your application (which connects to the database) lives anyway, right? I see no significant difference wrt security between .env and .pgpass. (Though I'm far from a security expert.) Best, --=20 Marcin Borkowski https://mbork.pl https://crimsonelevendelightpetrichor.net/