Re: Internal key management system
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Craig Ringer <craig.ringer@enterprisedb.com>
Cc: Masahiko Sawada <masahiko.sawada@2ndquadrant.com>, Fabien COELHO <coelho@cri.ensmp.fr>, Cary Huang <cary.huang@highgo.ca>, Ahsan Hadi <ahsan.hadi@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, "Moon, Insung" <tsukiwamoon.pgsql@gmail.com>, Robert Haas <robertmhaas@gmail.com>, Sehrope Sarkuni <sehrope@jackdb.com>, cary huang <hcary328@gmail.com>, Ibrar Ahmed <ibrar.ahmad@gmail.com>, Joe Conway <mail@joeconway.com>
Date: 2020-10-28T19:12:19Z
Lists: pgsql-hackers
On Wed, Oct 28, 2020 at 02:29:16PM -0400, Bruce Momjian wrote: > On Wed, Oct 28, 2020 at 12:02:46PM +0800, Craig Ringer wrote: > > Yes, that's possible. But in that case the passphrase will be asked for by > > openssl only when required, and we'll need to supply an openssl askpass hook. > > What we _will_ need is access to a /dev/tty file descriptor, and this > patch does that, though it closes it as soon as the internal keys are > unlocked so the terminal can be disconnected from the database > processes. FYI, the file descriptor facility will eventually allow for SSL certificate unlocking passwords to be prompted from the terminal, instead of requiring the use of ssl_passphrase_command, but let's get the facility fully completed first. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee