Skip to content

Latest commit

 

History

History
91 lines (58 loc) · 3.87 KB

README.md

File metadata and controls

91 lines (58 loc) · 3.87 KB

Smallstep for Desktops

Smallstep helps ensure that access to financial data, code repositories, PII and other sensitive resources is only possible from trusted, company-managed devices.

System Requirements

Windows

  • Windows 10 or later
  • Trusted Platform Module (TPM 2.0)

Linux

  • Flatpak, or Debian 12+, Ubuntu 22.04+, Fedora 38+
  • systemd-based service manager
  • Trusted Platform Module (TPM 2.0)
  • p11-kit
  • tpm-tss2

macOS

  • macOS 13 (Ventura) or later
  • Secure Enclave

Runtime Requirements

All platforms require an internet connection for normal operation.

Windows

  • Administrator privileges - the Smallstep app requires privilege escalation to be able to communicate to the TPM

macOS

  • Location permission - to enable management of Wifi networks, the Smallstep app needs location permission
  • Keychain access - the Smallstep app uses the macOS keychain to store both keys and certificates it manages
  • Network Extension entitlement - the Smallstep app requests the Network Extension entitlement so that it can manage VPN connections

Linux

  • TPM read/write permission - the Smallstep app communicates to the TPM from user-space using tpm-tss2, and the running user must have read/write permissions to the TPM resource manager (typically /dev/tpmrm0)

On all platforms, the Smallstep app manages a directory on the filesystem in a well-known location for management of keys and certificates:

  • On macOS: $HOME/Library/Application Support/Smallstep
  • On Windows: %LOCALAPPDATA%/Smallstep
  • On Linux: $XDG_RUNTIME_DIR/step-agent and $XDG_CONFIG_HOME/step-agent

Download

Installers for macOS, Windows and Linux can be downloaded from GitHub releases. Releases are signed with, and can be verified, by cosign.

Platform Release
macOS Latest Version
Linux (Flatpak) Latest Version
Linux (.deb) Latest Version
Linux (.rpm) Latest Version
Windows (AMD64) Latest Version
Windows (ARM64) Latest Version

Telemetry

The Smallstep app collects and reports some data from the host device as part of its normal operation. These are:

  • Device Identifiers from TPM-enabled platforms
  • Device/Computer Name
  • Device/Computer Hostname
  • Chipset Architecture
  • Operating System Version
  • WAN IP Address

Usage

PKCS#11 Server on Linux

On Linux, the Smallstep app provides a PKCS#11 server that can be used for a variety of integration use cases, such as Network Manager connections or web browser certificates. The PKCS#11 server is exposed as a UNIX socket at $XDG_RUNTIME_DIR/step-agent/step-agent-pkcs11.sock. One usage example would be adding the PKCS#11 tokens to your browser using modutil and an NSS database.

On Chrome (which defaults to ~/.pki/nssdb), for example:

modutil -dbdir ~/.pki/nssdb -add step-agent -libfile <path-to-p11-kit-libs>/p11-kit-client.so
export P11_KIT_SERVER_ADDRESS=unix:path=$XDG_RUNTIME_DIR/step-agent/step-agent-pkcs11.sock

After that, you should see certificates managed by Smallstep in Chrome. You'll want to add P11_KIT_SERVER_ADDRESS to your environment more permanents for regular usage. You can use tools like pkcs11-tool for troubleshooting:

pkcs11-tool --module <path-to-p11-kit-libs>/p11-kit-client.so --list-slots

Read the p11-kit documentation for more details.