Skip to content

Feature: support using YubiKey PIV for storing keys #517

Open
@hazcod

Description

@hazcod

What would you like to be added

I would love to have some kind of hardware binding to secure the credentials being used by smallstep CLI.
e.g. for the SSH certificate signing, it would be great if we could re-use the SSH credentials on the YubiKey instead of generating one on the filesystem where they can be stolen by a malicious actor.
http://github.com/go-piv/piv-go is a great project to easily setup and access YubiKey PIV keys.
I've posted a YubiKey example here: https://gist.github.com/hazcod/59af44bc4ad88b43e035ba54ed010c81

Why this is needed

Further secure the credentials being generated by step with a hardware binding.

Activity

maraino

maraino commented on Aug 4, 2021

@maraino
Collaborator

Hi @hazcod, this feature is in our roadmap, and the code blocks are already in place, step-ca has an interface named kms.KeyManager that's implemented with support for Yubikey, PKCS#11 and some popular cloud key managers like AWS's KMS, Google's Cloud KMS.

That interface has methods to create keys in yubikey, as well as read the public key and do sign operations.

removed
needs triageWaiting for discussion / prioritization by team
on Aug 4, 2021
hazcod

hazcod commented on Sep 29, 2021

@hazcod
Author

@maraino FYI I meant the smallstep CLI, not the step-ca.
(not storing the temporary tokens on-disk)

maraino

maraino commented on Sep 29, 2021

@maraino
Collaborator

@hazcod I meant that we will use the interface that we have in step-ca in the step cli.

baloo

baloo commented on Nov 3, 2021

@baloo

@maraino so the certificate would need to be provided to the pkcs11 provider before being loaded by the ssh-agent. And this is why it needs to rely on the KeyManager here.
Am I reading this correctly?

hongkongkiwi

hongkongkiwi commented on Nov 15, 2021

@hongkongkiwi

I also need this functionality, I want to use this command:
step certificate create --profile root-ca --template root.tpl \ "My Root CA" root_ca.crt "pkcs11:mytoken"

I would expect this to work, instead of specifying files each time for key, I should be able to specify a pkcs11 url instead.

maraino

maraino commented on Nov 15, 2021

@maraino
Collaborator

@baloo, @hongkongkiwi we will add support for step certificate create, step certificate sign, and step ca init at some point, but this is not a priority for us right now, and is not a simple task. We will also add support for other commands, but the ones above will come first.

We have provided little programs that you can modify to get this working, the specific one for YubiKey is here. Modifying it to add custom attributes in the subject or even custom extensions should not be that hard.

Unfortunately, that script one does not have support for SSH, but that part is not difficult to do, as we now support the required key management slots too. I will accept a PR that modifies that script with an --ssh flag to enable the creation of a key to sign host certificates and another to sign user certificates, as well as --ssh-host-slot and --ssh-user-slot to define the slots were we want to add the keys. You can look at step-pcks11-init that shows you how to create a key using the key manager for ssh.

I'll try to add SSH support for that script soon if we don't get a PR first.

And for SSH, once you have an SSH-CA configured, you can sign keys that require a YubiKey too:

$ ssh-keygen -t ecdsa-sk -f ecdsa-sk
$ step ssh certificate mariano ecdsa-sk.pub

To use that certificate with ssh you will need to have your key connected and tap it.

hongkongkiwi

hongkongkiwi commented on Nov 16, 2021

@hongkongkiwi

Thanks for the detailed explanation. As my usage is a bit more generic than Yubikey, I created a separate issue here #583 to keep it simple.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @baloo@maraino@hongkongkiwi@dopey@hazcod

        Issue actions

          Feature: support using YubiKey PIV for storing keys · Issue #517 · smallstep/cli