-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add example using pin-source method #94
Comments
@111a5ab1 You should be able to use |
And with pin-source you can also use some tricks to use an environment variable: $ export PIN=123456
$ step-kms-plugin key "yubikey:slot-id=82?pin-source=<(echo $PIN)"
-----BEGIN PUBLIC KEY-----
MHcCAQEEINMCE4FRJ0Ys3UxDves4tDaQcClxTzGsTDFYaPJePMn4oAoGCCqGSM49
AwEHoUQDQgAEwcqzWe+avE8Du99i4pF9JK4Ask7HBLTdkwM1inilsp+RDrOlqrrM
iSr+q+V6yNKN5GFrqBvqw3hlngKu/E2DyA==
-----END PUBLIC KEY----- |
Hi @maraino, thanks for the quick reply and pointing me to I went off the examples in the Submitted PR doc: add example using pin-source method #95 to better call this out by including an example of |
Firstly, many thanks to the Smallstep team for creating
step
andstep-kms-plugin
.It seems
step-kms-plugin
currently requires passing the PIN directly in via the--kms
command-line argument, i.e.:Passing sensitive values in via command-line is insecure as nicely outlined in Smallstep's own blog post, "How to Handle Secrets on the Command Line" by Carl Tashian.
It would be great to be able to provide the PIN via more secure methods, such as pipes, file, or environment variable, e.g.:
Pipe example leveraging HashiCorp Vault
File example
Environment example leveraging 1Password
The text was updated successfully, but these errors were encountered: