-
|
Hello 👋, I'm looking for a method to have the password for the intermediate CA key stored and read-in securely while starting the small step server. Could you suggest how issues with this method could be solved or suggest a different approach? The path to the password file should not be exposed nor stored in clear anywhere. Thank for the ideas! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
hi, i managed to sort this out. Main PID: 1116 (start-step-ca.s) this has been achieved via bash login script promting for a password to unlock the GPG keyring and caching it like this: export GPG_TTY=$(tty) Prompt the user for the passphraseread -s -p "Enter GPG passphrase: " PASSPHRASE Use the passphrase to unlock the GPG keyringecho "$PASSPHRASE" | sudo -u step /usr/lib/gnupg2/gpg-preset-passphrase --preset subsequently, step-ca is being started with a password retrieved from the password store: Try to retrieve the password directly from gpgPASSWORD=$(gpg --batch --quiet --decrypt ~/.password-store/step-ca/password.gpg 2>/dev/null) Start step-caecho "$PASSWORD" | /usr/bin/step-ca --password-file /dev/stdin /etc/step-ca/config/ca.json |
Beta Was this translation helpful? Give feedback.
hi, i managed to sort this out.
now my step-ca instance is running with no mention of a password file in the process list:
Main PID: 1116 (start-step-ca.s)
Tasks: 7 (limit: 3509)
Memory: 55.3M
CPU: 2.468s
CGroup: /system.slice/step-ca.service
├─1116 /bin/bash /usr/local/bin/start-step-ca.sh
└─1121 /usr/bin/step-ca --password-file /dev/stdin /etc/step-ca/config/ca.json
this has been achieved via bash login script promting for a password to unlock the GPG keyring and caching it like this:
export GPG_TTY=$(tty)
sudo -u step gpgconf --launch gpg-agent
Prompt the user for the passphrase
read -s -p "Enter GPG passphrase: " PASSPHRASE
Use the passphrase to unlock the GPG keyring
echo "$PASSPHRAS…