In my extension pgsodium I'm defining a custom variable at startup to store a key:
I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE, and a custom "no show" show hook that obscures the value. This idea was inspired from the pgcryptokey module from Bruce Momjian.
The value cannot be shown either with SHOW or current_setting() and it does not appear in pg_settings. From what I can tell, the value is inaccessible from SQL, but I think it's worth asking the experts if there is some other demonstrable way, from SQL, that this value could be leaked even to a superuser. no sql level user should be able to see this value, only a C function, like the pgsodium_derive() from which to derive other keys, should be able to see it. I realize that someone with external process access can get the key, my goal is to prevent accessing it from SQL.
Any thoughts on weaknesses to this approach would be welcome. Thanks!
-Michel