0

I am trying to deploy the PostgreSQL with CA Signed SSL Certificate and Keys (With passphrase). When I try to start pgsql service, it is expecting the PEM password but it will not work in the interactive way.

Do we have any non-interactive way to provide the SSL passphrase ? (Automatic restart or stop will not work otherwise)

  1. I found this article How to enable SSL in PostgreSQL/PPAS referring to use pg_ctl start -w so that the service will ask for the SSL key passphrase.

  2. I also found this article PostgreSQL with passphrase-protected SSL keys under systemd saying about the use of ssl_passphrase_command but which also in turn asking the PEM passphrase interactively.

Thanks

Gineesh
  • 429
  • 1
  • 5
  • 13
  • 1
    You can put the password in a file and then use `ssl_passphrase_command` to read it from that file. BUT if you store the passphrase on the machine then you might as well not have it. – Richard Huxton Dec 14 '21 at 11:29
  • @RichardHuxton Thank you. Yeah, that is the issue. I think SSL key without passphrase is better than keeping a password in plaintext file somewhere on machine. – Gineesh Dec 14 '21 at 12:33

1 Answers1

1

You can set the following PostgreSQL parameters:

ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_passphrase_command = 'echo "mypassword"'
ssl_passphrase_command_supports_reload = on

Here, echo is an operating system command that just echos the argument. You will have to escape special characters like ' or " in the password.

Laurenz Albe
  • 209,280
  • 17
  • 206
  • 263
  • @laurence-albe Thank you. Yeah, but the passphrase is open as plain text right ? I think SSL key without passphrase is better than keeping a password in plaintext file somewhere on machine. Am I wrong ? – Gineesh Dec 14 '21 at 12:36
  • 1
    You are right. But there is no real safe way to do this if you want the server to start automatically, short of a HSM or some such advanced hardware device. And the flexibility of `ssl_passphrase_command` should be enough to cater for all eventualities. – Laurenz Albe Dec 14 '21 at 13:02
  • Yeah exactly. I am still checking around. – Gineesh Dec 15 '21 at 14:21
  • @LaurenzAlbe how would you make it read from environment variable though? `echo "$SSL_PASS"` seems to be saying bad decrypt. But `echo "actualPass"` itself works (actualPass is the ssl password) – jake wong Apr 08 '23 at 07:11
  • 1
    @jakewong Using an environment variable should work, as long as you set that variable in the environment of the PostgreSQL server (not the interactive shell). – Laurenz Albe Apr 08 '23 at 11:41