https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/Recent content in Key Management onHugo -- gohugo.ioTue, 06 Oct 2020 08:49:15 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/overview/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/overview/Sigstore handles keys and key management internally by default. However, while the default makes it unnecessary, you can configure Sigstore, through Cosign, to work with KMS providers. This page contains detailed instructions on how to configure cosign to work with KMS providers. Right now cosign supports AWS KMS, GCP KMS, Azure Key Vault, Hashicorp Vault, OpenBao and Kubernetes Secrets and with the hope to support more in the future! Basic Usage # When referring to a key managed by a KMS provider, cosign takes a go-cloud style URI to refer to the specific provider.https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/signing_with_self-managed_keys/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/signing_with_self-managed_keys/To generate a key pair in Cosign, run cosign generate-key-pair. You’ll be interactively prompted to provide a password. $ cosign generate-key-pair Enter password for private key: Enter again: Private key written to cosign.key Public key written to cosign.pub Alternatively, you can use the COSIGN_PASSWORD environment variable to provide one. Note: Cosign supports RSA, ECDSA, and ED25519 keys. For RSA, Cosign only supports RSA PKCS#1.5 padded keys. Key generation and management # To generate keys using a KMS provider, you can use the cosign generate-key-pair command with the --kms flag.https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/import-keypair/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/import-keypair/Currently only supports RSA and ECDSA private keys in PEM format Import a Key Pair # To use a local key not generated by Cosign for signing, the key must be imported. To use a key stored in a KMS, importing is not necessary and the key can be specified by resource name. The importing of a key pair with cosign is as follows. $ cosign import-key-pair --key opensslrsakey.pem Enter password for private key: Enter password for private key again: Private key written to import-cosign.https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/hardware-based-tokens/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/key_management/hardware-based-tokens/The cosign command line tool optionally supports hardware tokens for signing and key management. This support is enabled through the PIV protocol and the go-piv library, which is not included in the standard release. Use make cosign-pivkey-pkcs11key, or go build -tags=pivkey,pkcs11key ./cmd/cosign, to build cosign with support for hardware tokens. Background information # Cosign’s hardware token support requires libpcsclite on platforms other than Windows and OSX. See go-piv’s installation instructions for your platform.