public inbox for [email protected]
help / color / mirror / Atom feedFrom: [email protected]
To: [email protected]
Subject: What are best practices wrt passwords?
Date: Wed, 16 Oct 2024 11:35:46 +0200
Message-ID: <[email protected]> (raw)
Hello all,
I'd like to be able to use psql without typing passwords again and
again. I know about `.pgpass` and PGPASSFILE, but I specifically do not
want to use it - I have the password in the `.env` file, and having it
in _two_ places comes with its own set of problems, like how to make
sure they don't get out of sync.
I understand why giving the password on the command line or in an
environment variable is a security risk (because of `ps`), but I do not
understand why `psql` doesn't have an option like `--password-command`
accepting a command which then prints the password on stdout. For
example, I could then use `pass` (https://www.passwordstore.org/) with
gpg-agent.
Is there any risk associated with this usage pattern? What is the
recommended practice in my case other than using `.pgpass`?
Thanks in advance,
P.S. Please CC me in replies, since I'm not subscribed to the list.
Thanks.
--
Marcin Borkowski
https://mbork.pl
https://crimsonelevendelightpetrichor.net/
view thread (4+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: What are best practices wrt passwords?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox