From f938a820d01eebfc851efc31e4d7b6252d4ff517 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 14 Jan 2026 20:39:02 -0600 Subject: [PATCH 1/4] Update --kms flag help --- flags/flags.go | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/flags/flags.go b/flags/flags.go index 95495200f..3073de257 100644 --- a/flags/flags.go +++ b/flags/flags.go @@ -469,8 +469,29 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`, } KMSUri = cli.StringFlag{ - Name: "kms", - Usage: "The to configure a Cloud KMS or an HSM.", + Name: "kms", + Usage: `The to configure a Cloud KMS or an HSM. + is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated +parameters identify the KMS, and **&**-separated parameters contain credentials. + +: Supported KMS types: + + **YubiKey PIV** + : Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**. + + **PKCS #11** + : Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**. + + **TPM 2.0** + : Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**. + +: Examples: + +''' +yubikey:pin-value=123456 +pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass +tpmkms:name=my-key;device=/dev/tpmrm0 +'''`, } AttestationURI = cli.StringFlag{ From 0ee1d82def826aba476a32c0886064316bf0e037 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 15 Jan 2026 08:46:39 -0600 Subject: [PATCH 2/4] Tweaks --- flags/flags.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/flags/flags.go b/flags/flags.go index 3073de257..578ec45cb 100644 --- a/flags/flags.go +++ b/flags/flags.go @@ -485,13 +485,26 @@ parameters identify the KMS, and **&**-separated parameters contain credentials. **TPM 2.0** : Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**. + **Google Cloud KMS** + : Use **cloudkms:** URIs. Parameters: **credentials-file**. + + **AWS KMS** + : Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**. + + **Azure Key Vault** + : Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**. + : Examples: ''' yubikey:pin-value=123456 pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass tpmkms:name=my-key;device=/dev/tpmrm0 -'''`, +awskms:region=us-east-1 +azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE +''' + + For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.`, } AttestationURI = cli.StringFlag{ From 53d0f1f34b9d687e6d20c850f3e91afb00fc54b9 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 15 Jan 2026 09:55:32 -0600 Subject: [PATCH 3/4] Update flags/flags.go Co-authored-by: Herman Slatman --- flags/flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flags/flags.go b/flags/flags.go index 578ec45cb..900797e91 100644 --- a/flags/flags.go +++ b/flags/flags.go @@ -470,7 +470,7 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`, KMSUri = cli.StringFlag{ Name: "kms", - Usage: `The to configure a Cloud KMS or an HSM. + Usage: `The to configure a (cloud) KMS or an HSM. is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated parameters identify the KMS, and **&**-separated parameters contain credentials. From 66ae2e4ba3d73a5f4d15eaa8c76cac2c109e39f3 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 15 Jan 2026 09:55:47 -0600 Subject: [PATCH 4/4] Update flags/flags.go Co-authored-by: Herman Slatman --- flags/flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flags/flags.go b/flags/flags.go index 900797e91..d185e624c 100644 --- a/flags/flags.go +++ b/flags/flags.go @@ -472,7 +472,7 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`, Name: "kms", Usage: `The to configure a (cloud) KMS or an HSM. is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated -parameters identify the KMS, and **&**-separated parameters contain credentials. +parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials. : Supported KMS types: