On Mon, Oct 26, 2020 at 10:05:10PM +0800, Craig Ringer wrote: > For example if I want to lock my database with a YubiHSM I would configure > something like: > > cluster_encryption_key = 'pkcs11:token=YubiHSM;id=0:0001;type=private'
Well, openssl uses a prefix before the password string, e.g.: * pass:password * env:var * file:pathname * fd:number * stdin See 'man openssl'. I always thought that API was ugly, but I now see the value in it. We could implement a 'command:' prefix now, and maybe a 'pass:' one, and allow other methods like 'pkcs11' later. I can also imagine using the 'file' one to allow the key to be placed on an encrypted file system that has to be mounted for Postgres to start. You could also have the key on a USB device that has to be inserted to be used, and the 'file' is on the USB key --- seems clearer than having to create a script to 'cat' the file. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
