Closed 111a5ab1 closed 1 year ago
@111A5AB1 You should be able to use pin-source=path/to/file
And with pin-source you can also use some tricks to use an environment variable:
$ export PIN=123456
$ step-kms-plugin key "yubikey:slot-id=82?pin-source=<(echo $PIN)"
-----BEGIN PUBLIC KEY-----
MHcCAQEEINMCE4FRJ0Ys3UxDves4tDaQcClxTzGsTDFYaPJePMn4oAoGCCqGSM49
AwEHoUQDQgAEwcqzWe+avE8Du99i4pF9JK4Ask7HBLTdkwM1inilsp+RDrOlqrrM
iSr+q+V6yNKN5GFrqBvqw3hlngKu/E2DyA==
-----END PUBLIC KEY-----
Hi @maraino, thanks for the quick reply and pointing me to pin-source
!
I went off the examples in the README.md
all being pin-value
, completely missing the usage in key.go#L42.
Submitted PR doc: add example using pin-source method #95 to better call this out by including an example of pin-source
in the README.md
.
Firstly, many thanks to the Smallstep team for creating
step
andstep-kms-plugin
.It seems
step-kms-plugin
currently requires passing the PIN directly in via the--kms
command-line argument, i.e.:Passing sensitive values in via command-line is insecure as nicely outlined in Smallstep's own blog post, "How to Handle Secrets on the Command Line" by Carl Tashian.
It would be great to be able to provide the PIN via more secure methods, such as pipes, file, or environment variable, e.g.:
Pipe example leveraging HashiCorp Vault
File example
Environment example leveraging 1Password