ssl_passphrase_command_supports_reload — PostgreSQL configuration parameter

This parameter determines whether the passphrase command set by ssl_passphrase_command will also be called during a configuration reload if a key file needs a passphrase.

At a glance

What it does

This parameter determines whether the passphrase command set by ssl_passphrase_command will also be called during a configuration reload if a key file needs a passphrase. If this parameter is off (the default), then ssl_passphrase_command will be ignored during a reload and the SSL configuration will not be reloaded if a passphrase is needed. That setting is appropriate for a command that requires a TTY for prompting, which might not be available when the server is running. Setting this parameter to on might be appropriate if the passphrase is obtained from a file, for example.

This parameter must be set to on when running on Windows since all connections will perform a configuration reload due to the different process model of that platform.

(Description quoted from the official PostgreSQL documentation.)

How to apply a change

Can be set per session with SET, per role/database with ALTER ROLE/DATABASE ... SET, or globally in postgresql.conf.

Inspect the current value and source with SHOW ssl_passphrase_command_supports_reload; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'ssl_passphrase_command_supports_reload';.

Tuning guidance

This is a connectivity or security setting, not a performance knob. Choose the value from your security and network requirements (TLS files, ciphers, keepalives, authentication behaviour) rather than for throughput, and verify it against your organization’s policy. Test changes in staging, because a wrong value here can lock clients out.

Reference

PostgreSQL documentation — ssl_passphrase_command_supports_reload.