On Wed, Dec 16, 2020 at 01:42:57PM -0500, Bruce Momjian wrote: > On Wed, Dec 16, 2020 at 06:07:26PM +0000, Alastair Turner wrote: > > Hi Bruce > > > > On Wed, 16 Dec 2020 at 00:12, Bruce Momjian <br...@momjian.us> wrote: > > > > > ... > > > > > > The second approach is to make a new API for what you want.... > > > > I am trying to motivate for an alternate API. Specifically, an API > > which allows any potential adopter of Postgres and Cluster File > > Encryption to adopt them without having to accept any particular > > approach to key management, key derivation, wrapping, validation, etc. > > A passphrase key-wrapper with validation will probably be very useful > > to a lot of people, but making it mandatory and requiring twists and > > turns to integrate with already-established security infrastructure > > sounds like a barrier to adoption. > > Attached is a script that uses the AWS Secrets Manager, and it does key > rotation with the new pg_altercpass tool too, just like all the other > methods.
Attached is an improved script that does not pass the secret on the command line. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
pass_aws.sh
Description: Bourne shell script
