GPG Encrypted Pillars

Salt has support to transparently decrypt GPG-encrypted Pillar data built-in. The decryption happens on the Salt Master.

1. Generate GPG keyring for Salt Master

The GPG keyring can be specified in /etc/salt/master or in its own file under /etc/salt/master.d/, for example /etc/salt/master.d/gpg-pillar.conf.

Always create a separate keyring for the Salt Master.

Procedure: Generating key pair
  1. On the Salt Master create GPG home directory and restrict its permissions:

    mkdir /etc/salt/gpgkeys
    chmod 700 /etc/salt/gpgkeys
  2. Generate a key pair interactively.

    The password must be empty.

    gpg --gen-key --homedir /etc/salt/gpgkeys
  3. Salt does not run with root permissions on SUSE Linux Enterprise and openSUSE distributions.

    chown -R salt:salt /etc/salt/gpgkeys
  4. Configure Salt Master to use the new GPG home directory

    echo 'gpg_keydir: /etc/salt/gpgkeys' >/etc/salt/master.d/gpg-pillar.conf
    systemctl reload-or-restart salt-master

2. Use GPG for encrypting Pillar secrets

Salt GPG renderer decrypts GPG encrypted contents that are ASCI-armored. To use the GPG renderer in a Pillar YAML file, change

#!yaml

to

#!yaml|gpg

Encrypting pillar secrets can be done anywhere as long as the GPG and the public key generated in Procedure: Generating key pair are available.

In this example, "SUMA Salt Master" is the GPG key’s UID created earlier.

echo 't0ps3cr3t' | gpg --armor --batch --encrypt --recipient "SUMA Salt Master"

When the GPG encrytped contents are created and available as ASCII-armored output, this output can be used as a multi-line string in a pillar YAML file:

#!yaml|gpg

secret:
  my-secret: |
    ----BEGIN PGP MESSAGE----

    hQEMA3OrmRaWrqgqAQf/ej8xV+nO3HVbQRCeJgCmt5ZjnogT++HHeFzXymfr1SgT
    XySyAqpIZB2N6MjZXtupO2sCmG6fzqtmnW+vRsZhQG8PAqzRtAekFuVbXzgkigBk
    338yOdyltVBtMONnkHFQ+7EP1tfJnWLCVrJ1I42vGFLZf2AD1xhbjewCcoaK82J4
    f8u9U/dxgV0N6na28WG5m6YU5Reu1Ca37PXHuqA/0XZl65DY63xaMPMDHZEi1wkU
    GXU7OsiL1dO0/sST1Awo5i99kVt/kA6DCGDuxTNpLrauNLOKUbtwcxvavtNZGwdQ
    yI9zWVx8qerWE0aO3M7zVDJftv77faV2ENiqzaadvtJHAZynW4GW7rSuP1RXFzlB
    DOAmzdRuIJwiLC9R2BKu3x+avReQb6xoz7eF7WthC0H0dz4mYakwPlVZ5yqYa/+G
    83i951rqAGI=
    =g+ji
    ----END PGP MESSAGE----

When the pillar is assigned to a system with top.sls, the GPG encrypted pillar data is available in a decrypted format.

The client’s in-memory cache is only updated on startup or when running execution module functions that trigger a cache refresh such as saltutil.refresh_pillar, pillar.items, or state.apply.

suma-sles15sp1.tf.local:
  ----------
    my-secret:
        t0p s3cr3t!

3. Export the GPG key

To export the GPG key, use the command:

gpg --export 'SUMA Salt Master' --homedir /etc/salt/gpgkeys --output suma-salt-master.gpg

Here 'SUMA Salt Master' is the name used during key generation.

The suma-salt-master.gpg public key can be freely shared.