--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+user=postgres
+key="$tool"/var/sec/x509/postgresql."$local_domainname"/user/"$user"/key.pem
+
+read -r pass <<-EOF
+ $(stdbuf --output 0 tr -d -c '[:alnum:]' <"${random:-/dev/urandom}" | head -c 42)
+ EOF
+gpg --yes --decrypt "$key".gpg |
+openssl rsa -in /dev/stdin -des3 -passout fd:3 -out "$key" 3<<-EOF
+ $pass
+ EOF
+
+PGSSLCERT="$tool"/var/pub/x509/postgresql."$local_domainname"/user/"$user"/crt.pem \
+PGSSLKEY="$key" \
+PGSSLMODE=verify-full \
+PGSSLROOTCERT="$tool"/var/pub/x509/postgresql."$local_domainname"/crt+ca.pem \
+expect -f /dev/fd/3 \
+ psql \
+ --host postgresql."$local_domainname" \
+ --port 5432 \
+ --username "$user" \
+ "$@" 3<<-EOF
+ spawn {*}\$argv
+ expect {
+ "Enter PEM pass phrase:" {
+ send -- "$pass\\r"
+ interact
+ }
+ }
+ EOF