Prompt for PIN using KMS x5c #1460
Description
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
KMS can be used with the x5c provider to sign CSR (using Yubikey for example) :
step ca sign </path/to/csr> </path/to/crt> \
--provisioner x5c \
--kms 'yubikey:?pin-value=123456' \
--x5c-cert 'yubikey:slot-id=9a' \
--x5c-key 'yubikey:slot-id=9a
This feature is amazing.
However, this command is wrong to me, the Yubikey PIN is written in the shell history. I know the option 'pin-source' can be used to store the PIN in a file but it's still in plain text in my filesystem. Moreover, adding a space at the command beginning to not store it in the history is not satisfying, one of my admins is going to forgot it and its PIN will leak.
Can a "yubikey:?pin-prompt" option be added that allows the user to enter the PIN in a prompt ? This way, the Yubikey PIN is not stored anywhere on the filesystem.
Why is this needed?
This option is needed to prevent KMS secret to be written in shell history and being stolen.