Sets an external command to be invoked when a passphrase for decrypting an SSL file such as a private key needs to be obtained.
At a glance
| Property | Value |
|---|---|
| Parameter | ssl_passphrase_command |
| Category | Connections and Authentication |
| Default | (see documentation) |
| Value type | string |
| Change scope | Per-session (SET) |
| Available in | PostgreSQL 12, 13, 14, 15, 16, 17, 18, 19 (added in 12) |
What it does
Sets an external command to be invoked when a passphrase for decrypting an SSL file such as a private key needs to be obtained. By default, this parameter is empty, which means the built-in prompting mechanism is used.
The command must print the passphrase to the standard output and exit with code 0. In the parameter value, %p is replaced by a prompt string. (Write %% for a literal %.) Note that the prompt string will probably contain whitespace, so be sure to quote adequately. A single newline is stripped from the end of the output if present.
(Description quoted from the official PostgreSQL documentation.)
How to apply a change
Can be set per session with SET, per role/database with ALTER ROLE/DATABASE ... SET, or globally in postgresql.conf.
Inspect the current value and source with SHOW ssl_passphrase_command; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'ssl_passphrase_command';.
Tuning guidance
This is a connectivity or security setting, not a performance knob. Choose the value from your security and network requirements (TLS files, ciphers, keepalives, authentication behaviour) rather than for throughput, and verify it against your organization’s policy. Test changes in staging, because a wrong value here can lock clients out.