Add ability to load yubikey management keys from a file #207
Assignees
Comments
|
Hey @rmb938, You mean just the YubiKey management key, right? For PINs it should already be possible using It does make sense to support As mentioned on Discord, it might be nice to support prompting in an interactive context, but that'll take more work. |
|
Yes, I'll update the since you mentioned the pin source. |
rmb938
changed the title
maraino
added a commit
to smallstep/crypto
that referenced
this issue
Jan 14, 2025
This commit adds the yubikey attribute management-key-source. This attribute can be used to pass the yubikey management key from a file. Fixes smallstep/step-kms-plugin#207
maraino
added a commit
to smallstep/crypto
that referenced
this issue
Jan 14, 2025
This commit adds the yubikey attribute management-key-source. This attribute can be used to pass the yubikey management key from a file. Fixes smallstep/step-kms-plugin#207
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently when using kms with a yubikey it seems like the only way to give step-kms-plugin the management key is via the command line.
Like environment variables mentioned here https://smallstep.com/docs/step-ca/certificate-authority-server-production/#avoid-storing-passwords-in-environment-variables command line arguments also are not that secure, any user can see them in
psor the/procfilesystem.It would be useful to be able to do something like
yubikey:management-key-source=/etc/step/yubikey-pinfor example.Step CA already has this covered since the keys and pins are in the
ca.jsonso this is really only needed when used via the command line.The text was updated successfully, but these errors were encountered: