Add option to require HSM pin on step-ca startup.

[kism]

What would you like to be added

I'd like to have the option to not have the HSM pin stored in a configuration file, but instead be required to be entered manually by an operator each time the CA is started.

Why this is needed

Having HSM pins sitting on the file system weakens the security in cases of hardware being stolen.

In theory if the PIN is not known then stealing a server and HSM will be useless to an attacker.

In cases where step-ca is running as a service my idea is:

1. step-ca program starts up but stalls, prompting for a pin
2. The user enters the pin if they are running step-ca interactively, if they are running step-ca as a service there could be a command to send the pin to step-ca (see EJBCA's bin/ejbca.sh ca activateca)
3. step-ca uses the pin to access the pin and continues as per normal
4. HSM pin is not logged anywhere

[maraino]

@kims We will add a prompt the first time this is required, probably at the start of the server, in the same way, the password for the intermediate key works.

Just for curiosity, did the solution with named pipes (mkfifo) worked?

[kism]

I did some research about named pipes as they are not in my Linux knowledge, I haven't had time to give anything a go yet though.

[jeetb2022]

Hello @kism, is this issue still relevant? I would like to work on it. Will you please assign it to me

Question : Are we trying to do something similar to a passkey for ssh terminal access?