[pgpool-general: 9440] Re: scram-sha-256 Authentication

Tatsuo Ishii ishii at postgresql.org
Mon Apr 28 16:15:28 JST 2025 

> All;
> 
> I have setup authentication where I have an md5 line in the
> pool_hba.conf file for a user and I have an md5 password entry for the
> user in the pool_passwd file, and the backend db is using
> scram_sha_256
> 
> I would like to setup the pool users to use scram sha 256 as well. I
> see in the docs that I should use pg_enc to create the entry in the
> pool_passwd file, however pg_enc is complaining about a key file.
> 
> I do not understand where I should put the keyfile and what I should
> put in the keyfile.
> 
> I assume that AES is the same as scram sha 256?

No. They are totally different things. scram-sha-256 is a protocol
between client and pgpool. AES(256) is a encryption algorythm and here
we use it for encrypting password in pool_passwd.

> I see this in the docs:
> 
> If you have AES encrypted passwords stored in the pool_passwd
> <https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-POOL-PASSWD>
> file, then Pgpool-II will require the decryption key to decrypt the
> passwords before using them, Pgpool-II tries to read the decryption
> key at startup from the .pgpoolkey file. .pgpoolkey is a plain text
> file which contains the decryption key string.
> 
> By default the Pgpool-II will look for the .pgpoolkey file in the
> user's home directory or the file referenced by environment variable
> PGPOOLKEYFILE. You can also specify the key file using the (-k,
> --key-file=KEY_FILE) command line argument to the pgpool
> <https://www.pgpool.net/docs/latest/en/html/pgpool.html> command. The
> permissions on .pgpoolkey must disallow any access to world or
> group. Change the file permissions by the command chmod 0600
> ~/.pgpoolkey.
> 
> 
> but I am still un-sure what I put in the keyfile

When decrypting the encrypted password in pool_passwd, you need the
encryption key, which is an arbitary string. It's like a password. The
encryption key must be something hard to guess by someone else. Once
you think of such a string, you can store it in the .pgpoolkey file
(or other file as the doc suggests). For example,

echo "the_secret_string" > ~/.pgpoolkey
chmod 600 ~/.pgpoolkey

Best regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp

More information about the pgpool-general mailing list