PostgreSQL

PostgreSQL password encryption

The default password encryption for PostgreSQL has been md5 for a long time.

Over the years md5 has become significantly unsecure.

Starting with postgreSQL v10 it is possible to use the much better scram-sha-256.

Starting with postgreSQL v14 the default password encryption is scram-sha-256.

As of Dec 2022 scram-sha-256 is the DBOD recommended password encryption for PostgreSQL.

Changing the encryption to scram-sha-256 should not be too difficult:

• set password_encryption = scram-sha-256 in the postgresql.conf file (from the File Editor of the DBOD Web interface)
• reload the instance configuration from the DBOD web portal (from the Start/Stop/Reload/Restart menu)
• force the encryption of all passwords with the new format by setting-or-changing-the-password for each and every user account including the admin role itself

Warning

For the last step (change all passwords), please make sure you are using a client compatible with postgreSQL version 10+:

default psql on centos7 and on lxplus are too old!

Please refer to CentOS 7 default psql version is 9.2.24 for further information

With the aim of speeding-up the adoption of scram-sha-256:

• DBOD Team recommend to start using the new encryption standard at your earliest convenience
• you will be required to comply with scram-sha-256 during the NEXT MAJOR UPGRADE, IN ANY CASE

scram-sha-256 password encryption is a requirement for any PostgreSQL MAJOR upgrade

The upgrade checker procedure will make sure the password encryption of all the passwords are scram-sha-256 before enabling the upgrade.

When action is necessary, you will find a WARNING similar to the following in the upgrade checker logs (which can be found in CERNBox):

WARNING! The following roles:

{list of not sha256 encrypted rolnames}

do not have a scram-sha-256 encrypted password which is now a requirement!

You need to encrypt all passwords with scram-sha-256 before proceeding with the upgrade as follow:

1) set password_encryption = 'scram-sha-256' in postgresql.conf (from the File Editor of the DBOD Web interface)

2) click on Reload from the DBoD Web interface (from the Start/Stop/Reload/Restart menu)

3) change the password for each and every user role listed above with the psql \password [ username ] command (as showed by setting-or-changing-the-password in our DBOD User Guide)

4) trigger the upgrade checker execution from the web interface

NB: You will not be able to proceed with the upgrade until the configuration parameter and all the passwords are scram-sha-256 compliant.