Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1t1369-00ETK0-QU
	for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 12:25:53 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1t1367-002a38-Bm
	for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 12:25:51 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <mbork@mbork.pl>)
	id 1t10Rj-0011AC-8E
	for pgsql-general@lists.postgresql.org; Wed, 16 Oct 2024 09:35:59 +0000
Received: from mail.mojserwer.eu ([195.110.48.8])
	by makus.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <mbork@mbork.pl>)
	id 1t10Rg-0019hM-99
	for pgsql-general@postgresql.org; Wed, 16 Oct 2024 09:35:58 +0000
Received: from localhost (localhost [127.0.0.1])
	by mail.mojserwer.eu (Postfix) with ESMTP id 2DFEF84419B
	for <pgsql-general@postgresql.org>; Wed, 16 Oct 2024 11:35:53 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail.mojserwer.eu
Received: from mail.mojserwer.eu ([127.0.0.1])
	by localhost (mail.mojserwer.eu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id yzmtWVd7iy5Q for <pgsql-general@postgresql.org>;
	Wed, 16 Oct 2024 11:35:47 +0200 (CEST)
Received: from localhost (91-227-197-85.net4me.pl [91.227.197.85])
	by mail.mojserwer.eu (Postfix) with ESMTPSA id 0E4301183B1F
	for <pgsql-general@postgresql.org>; Wed, 16 Oct 2024 11:35:47 +0200 (CEST)
From: mbork@mbork.pl
To: pgsql-general@postgresql.org
Subject: What are best practices wrt passwords?
Date: Wed, 16 Oct 2024 11:35:46 +0200
Message-ID: <87o73kgzkd.fsf@mbork.pl>
MIME-Version: 1.0
Content-Type: text/plain
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/87o73kgzkd.fsf%40mbork.pl>
Precedence: bulk

Hello all,

I'd like to be able to use psql without typing passwords again and
again.  I know about `.pgpass` and PGPASSFILE, but I specifically do not
want to use it - I have the password in the `.env` file, and having it
in _two_ places comes with its own set of problems, like how to make
sure they don't get out of sync.

I understand why giving the password on the command line or in an
environment variable is a security risk (because of `ps`), but I do not
understand why `psql` doesn't have an option like `--password-command`
accepting a command which then prints the password on stdout.  For
example, I could then use `pass` (https://www.passwordstore.org/) with
gpg-agent.

Is there any risk associated with this usage pattern?  What is the
recommended practice in my case other than using `.pgpass`?

Thanks in advance,

P.S. Please CC me in replies, since I'm not subscribed to the list.
Thanks.

-- 
Marcin Borkowski
https://mbork.pl
https://crimsonelevendelightpetrichor.net/