Re: pgbackrest - hiding the encryption password
| От | Ron |
|---|---|
| Тема | Re: pgbackrest - hiding the encryption password |
| Дата | |
| Msg-id | 601786c6-f601-81d1-0cff-5bdd783c96dd@gmail.com обсуждение исходный текст |
| Ответ на | Re: pgbackrest - hiding the encryption password (Stephen Frost <sfrost@snowman.net>) |
| Список | pgsql-general |
On 5/19/21 1:33 PM, Stephen Frost wrote: > Greetings, > > * Ron (ronljohnsonjr@gmail.com) wrote: >> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 633 >> perms. Normally, that's ok, but is a horrible idea when it's a plaintext >> file, and stores the pgbackrest encryption password. >> >> Would pgbackrest (or something else) break if I change it to >> postgres:postgres 600 perms? > As long as it can be read by the user performing backups/restores and > archive-push/archive-get, it should be fine. > >> Is there a better way of hiding the password so that only user postgres can >> see it? > This is a bit like asking how to 'hide' the encrypted private key for > SSL/TLS. Anywhere you hide it, if you want things to actually work in > an automated fashion, is also going to need to be available all the > time.. In particular, archive-push gets run a lot and you don't want > that to fail or to wait for someone to provide an encryption key. That's what I figured. Thanks. -- Angular momentum makes the world go 'round.
В списке pgsql-general по дате отправления: