certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Add option to require HSM pin on step-ca startup.

Open kism opened this issue 3 years ago • 3 comments

What would you like to be added

I'd like to have the option to not have the HSM pin stored in a configuration file, but instead be required to be entered manually by an operator each time the CA is started.

Why this is needed

Having HSM pins sitting on the file system weakens the security in cases of hardware being stolen.

In theory if the PIN is not known then stealing a server and HSM will be useless to an attacker.

In cases where step-ca is running as a service my idea is:

  1. step-ca program starts up but stalls, prompting for a pin
  2. The user enters the pin if they are running step-ca interactively, if they are running step-ca as a service there could be a command to send the pin to step-ca (see EJBCA's bin/ejbca.sh ca activateca)
  3. step-ca uses the pin to access the pin and continues as per normal
  4. HSM pin is not logged anywhere

kism avatar Jul 31 '21 23:07 kism

@kims We will add a prompt the first time this is required, probably at the start of the server, in the same way, the password for the intermediate key works.

Just for curiosity, did the solution with named pipes (mkfifo) worked?

maraino avatar Aug 04 '21 21:08 maraino

I did some research about named pipes as they are not in my Linux knowledge, I haven't had time to give anything a go yet though.

kism avatar Aug 05 '21 10:08 kism