Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: add example using pin-source method #94

Closed
111a5ab1 opened this issue Sep 6, 2023 · 3 comments · Fixed by #95
Closed

doc: add example using pin-source method #94

111a5ab1 opened this issue Sep 6, 2023 · 3 comments · Fixed by #95

Comments

@111a5ab1
Copy link
Contributor

111a5ab1 commented Sep 6, 2023

Firstly, many thanks to the Smallstep team for creating step and step-kms-plugin.

It seems step-kms-plugin currently requires passing the PIN directly in via the --kms command-line argument, i.e.:

$ step certificate create --profile root-ca \
   --kms "yubikey:pin-value=123456" \
   --key "yubikey:slot-id=82" \
   "Smallstep Root CA" root_ca.crt

Passing sensitive values in via command-line is insecure as nicely outlined in Smallstep's own blog post, "How to Handle Secrets on the Command Line" by Carl Tashian.

It would be great to be able to provide the PIN via more secure methods, such as pipes, file, or environment variable, e.g.:

Pipe example leveraging HashiCorp Vault

$ vault kv get -field=pin yubikey
123456
$ vault kv get -field=pin yubikey \
   | step certificate create --profile root-ca \
     --kms "yubikey" \
     --key "yubikey:slot-id=82" \
     "Smallstep Root CA" root_ca.crt

File example

$ cat yubikey_pin
123456
$ step certificate create --profile root-ca \
     --kms "yubikey:pin-file=yubikey_pin" \
     --key "yubikey:slot-id=82" \
     "Smallstep Root CA" root_ca.crt

Environment example leveraging 1Password

$ op read op://pki/yubikey/pin
123456
$ export STEP_KMS_PIN_VALUE="op://pki/yubikey/pin"
$ op run  -- \
   step certificate create --profile root-ca \
     --kms "yubikey" \
     --key "yubikey:slot-id=82" \
     "Smallstep Root CA" root_ca.crt
@maraino
Copy link
Contributor

maraino commented Sep 6, 2023
edited
Loading

@111a5ab1 You should be able to use pin-source=path/to/file

@maraino
Copy link
Contributor

maraino commented Sep 6, 2023

And with pin-source you can also use some tricks to use an environment variable:

$ export PIN=123456
$ step-kms-plugin key "yubikey:slot-id=82?pin-source=<(echo $PIN)"
-----BEGIN PUBLIC KEY-----
MHcCAQEEINMCE4FRJ0Ys3UxDves4tDaQcClxTzGsTDFYaPJePMn4oAoGCCqGSM49
AwEHoUQDQgAEwcqzWe+avE8Du99i4pF9JK4Ask7HBLTdkwM1inilsp+RDrOlqrrM
iSr+q+V6yNKN5GFrqBvqw3hlngKu/E2DyA==
-----END PUBLIC KEY-----

@111a5ab1 111a5ab1 changed the title Feature Request: Ability to provide KMS PIN via pipe, file, or environment variable doc: add example using pin-source method Sep 7, 2023
@111a5ab1 111a5ab1 mentioned this issue Sep 7, 2023
Merged
@111a5ab1
Copy link
Contributor Author

111a5ab1 commented Sep 7, 2023

Hi @maraino, thanks for the quick reply and pointing me to pin-source!

I went off the examples in the README.md all being pin-value, completely missing the usage in key.go#L42.

Submitted PR doc: add example using pin-source method #95 to better call this out by including an example of pin-source in the README.md.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

doc: add example using pin-source method
2 participants
@maraino @111a5ab1