ssl-certificatepsqlmtls

psql environment variable for sslkey password?


I'm connecting to a PostgreSQL 13.13 db using psql 13.14 on a mac. I'm using client cert auth. I've set the environment variables to include the correct values for PGSSLMODE, PGSSLROOTCERT, PGSSLCERT, & PGSSLKEY.

This means I only have to specify the host, db, and user on the command line. That's great.

But the ssl key is encrypted, so when I try to connect, psql asks for the key password (note, NOT the DB user password, the password to decrypt the cert key).

I've tried setting PGPASSWORD & PGSSLPASSWORD, I tried adding the line in the ~/.pgpass, none of that worked. Is there a way to send the ssl key password to psql without typing it in? I looked through the env vars doc and the password file doc, and I don't see it.

I ask because, in addition to having to type more, every now and then, due to timing issues, I end up typing the password in and the prompt takes it as a command, adding it into my history,... I'd rather have a file somewhere that either is the password, or sets an env var for the password, or set it up once per login or something.

Thank you very much.


Solution

  • There is no environment variable for the SSL key passphrase, possibly for the reason that inspires the the documentation's warning about PGPASSWORD:

    Use of this environment variable is not recommended for security reasons, as some operating systems allow non-root users to see process environment variables via ps

    What you can do is use the sslpassword key word in your connection string. If you want to avoid typing that password over and over, and you don't object to having the password in a text file on disk, you could use a connection service file: