search

smallstep / step-kms-plugin

🔐 step plugin to manage keys and certificates on a cloud KMSs and HSMs
Apache License 2.0
47 stars 6 forks source link

doc: add example using pin-source method #94

Closed 111a5ab1 closed 1 year ago

111a5ab1 commented 1 year ago

Firstly, many thanks to the Smallstep team for creating step and step-kms-plugin.

It seems step-kms-plugin currently requires passing the PIN directly in via the --kms command-line argument, i.e.:

$ step certificate create --profile root-ca \
   --kms "yubikey:pin-value=123456" \
   --key "yubikey:slot-id=82" \
   "Smallstep Root CA" root_ca.crt

Passing sensitive values in via command-line is insecure as nicely outlined in Smallstep's own blog post, "How to Handle Secrets on the Command Line" by Carl Tashian.

It would be great to be able to provide the PIN via more secure methods, such as pipes, file, or environment variable, e.g.:

Pipe example leveraging HashiCorp Vault

$ vault kv get -field=pin yubikey
123456
$ vault kv get -field=pin yubikey \
   | step certificate create --profile root-ca \
     --kms "yubikey" \
     --key "yubikey:slot-id=82" \
     "Smallstep Root CA" root_ca.crt

File example

$ cat yubikey_pin
123456
$ step certificate create --profile root-ca \
     --kms "yubikey:pin-file=yubikey_pin" \
     --key "yubikey:slot-id=82" \
     "Smallstep Root CA" root_ca.crt

Environment example leveraging 1Password

$ op read op://pki/yubikey/pin
123456
$ export STEP_KMS_PIN_VALUE="op://pki/yubikey/pin"
$ op run  -- \
   step certificate create --profile root-ca \
     --kms "yubikey" \
     --key "yubikey:slot-id=82" \
     "Smallstep Root CA" root_ca.crt
maraino commented 1 year ago

@111A5AB1 You should be able to use pin-source=path/to/file

maraino commented 1 year ago

And with pin-source you can also use some tricks to use an environment variable:

$ export PIN=123456
$ step-kms-plugin key "yubikey:slot-id=82?pin-source=<(echo $PIN)"
-----BEGIN PUBLIC KEY-----
MHcCAQEEINMCE4FRJ0Ys3UxDves4tDaQcClxTzGsTDFYaPJePMn4oAoGCCqGSM49
AwEHoUQDQgAEwcqzWe+avE8Du99i4pF9JK4Ask7HBLTdkwM1inilsp+RDrOlqrrM
iSr+q+V6yNKN5GFrqBvqw3hlngKu/E2DyA==
-----END PUBLIC KEY-----
111a5ab1 commented 1 year ago

Hi @maraino, thanks for the quick reply and pointing me to pin-source!

I went off the examples in the README.md all being pin-value, completely missing the usage in key.go#L42.

Submitted PR doc: add example using pin-source method #95 to better call this out by including an example of pin-source in the README.md.