Re: pgbackrest - hiding the encryption password

On 5/19/21 1:49 PM, Ron wrote:
> 
> Currently on our RHEL 7.8 system, /etc/pgbackrest.conf is root:root and 
> 633 perms.  Normally, that's ok, but is a horrible idea when it's a 
> plaintext file, and stores the pgbackrest encryption password.
> 
> Would pgbackrest (or something else) break if I change it to 
> postgres:postgres 600 perms?

Nothing will break as far as I know. As long as pgbackrest can read the 
file it will be happy.

> Is there a better way of hiding the password so that only user postgres 
> can see it?

You could use an environment variable in postgres' environment, see 
https://pgbackrest.org/command.html#introduction.

In this case it would be PGBACKREST_REPO1_CIPHER_PASS=xxx

Regards,
-- 
-David
david@pgmasters.net