Re: Internal key management system

On Wed, Oct 28, 2020 at 12:02:46PM +0800, Craig Ringer wrote:
> On Wed, Oct 28, 2020 at 9:43 AM Bruce Momjian <bruce@momjian.us> wrote:
>      I have used OpenSSL with Yubikey via pksc11.  You
>     can see the use of it on slide 57 and following:
> 
>             https://momjian.us/main/writings/crypto_hw_config.pdf#page=57
> 
>     Interestingly, that still needed the user to type in a key to unlock the
>     Yubikey, so we might need PKCS11 and a password for the same server
>     start.
> 
> Yes, that's possible. But in that case the passphrase will be asked for by
> openssl only when required, and we'll need to supply an openssl askpass hook.

What we _will_ need is access to a /dev/tty file descriptor, and this
patch does that, though it closes it as soon as the internal keys are
unlocked so the terminal can be disconnected from the database
processes.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee