On Tue, Jun 13, 2017 at 12:23 PM, Stephen Frost <sfr...@snowman.net> wrote: > Key management is an entirely independent discussion from this and the > proposal from Ants, as I understand it, is that the key would *not* be > in the database but could be anywhere that a shell command could get it > from, including possibly a HSM (hardware device).
Yes. I think the right way to implement this is something like: 1. Have a GUC that runs a shell command to get the key. 2. If the command successfully gets the key, it prints it to stdout and returns 0. 3. If it doesn't get successfully get the key, it returns 1. The database can retry or give up, whatever we decide to do. That way, if the user wants to store the key in an unencrypted text file, they can set the encryption_key_command = 'cat /not/very/secure' and call it a day. If they want to prompt the user on the console or request the key from an HSM or get it in any other way, they just have to write the appropriate shell script. We just provide mechanism, not policy, and the user can adopt any policy they like, from an extremely insecure policy to one suitable for Fort Knox. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers