Re: scram-sha-256 encrypted password in pgpass

Greetings,

* Pavan Kumar (pavan.dba27@gmail.com) wrote:
> > What would be the point of storing the encrypted password instead of the
> > plaintext one?
> As per our organization security policies, we can 't keep any  passwords in
> plain text format.

Then you need to *actually* encrypt the password in whatever file you'd
like, and then decrypt it using a key from somewhere when you go to
connect to PG and use it to connect to PG.

Anything that doesn't involve some key from somewhere being used to
decrypt it isn't actually meeting your organization's security policies,
certainly not anything that's just dumping whatever into .pgpass and
then allowing you to connect.

> I am working on postgres + pgbouncer setup, tested pgbouncer 1.14 where we
> have support to use encrypted password in userlist,txt file. I am
> surprised why  pgpass is not supporting encrypted passwords.

I'm not sure what you mean here, but I'm pretty confident it's not
actually what you think.  If you can directly connect with it, without
providing some kind of additional key, then it's, pretty much by
definition, not encrypted.

Thanks,

Stephen