GPG Encrypted Pillars
Salt has support to transparently decrypt GPG-encrypted Pillar data built-in. The decryption happens on the Salt Master.
1. Generate GPG keyring for Salt Master
The GPG keyring can be specified in /etc/salt/master
or in its own file under /etc/salt/master.d/
, for example /etc/salt/master.d/gpg-pillar.conf
.
Always create a separate keyring for the Salt Master.
-
On the Salt Master create GPG home directory and restrict its permissions:
mkdir /etc/salt/gpgkeys chmod 700 /etc/salt/gpgkeys
-
Generate a key pair interactively.
The password must be empty.
gpg --gen-key --homedir /etc/salt/gpgkeys
-
Salt does not run with root permissions on SUSE Linux Enterprise and openSUSE distributions.
chown -R salt:salt /etc/salt/gpgkeys
-
Configure Salt Master to use the new GPG home directory
echo 'gpg_keydir: /etc/salt/gpgkeys' >/etc/salt/master.d/gpg-pillar.conf systemctl reload-or-restart salt-master
2. Use GPG for encrypting Pillar secrets
Salt GPG renderer decrypts GPG encrypted contents that are ASCI-armored. To use the GPG renderer in a Pillar YAML file, change
#!yaml
3. to
#!yaml|gpg
Encrypting pillar secrets can be done anywhere as long as the GPG and the public key generated in <<proc-key-pair-generation>> are available. In this example, "SUMA Salt Master" is the GPG key’s UID created earlier.
echo 't0ps3cr3t' | gpg --armor --batch --encrypt --recipient "SUMA Salt Master"
When the GPG encrytped contents are created and available as ASCII-armored output, this output can be used as a multi-line string in a pillar YAML file:
#!yaml|gpg
secret: my-secret: | -----BEGIN PGP MESSAGE-----
hQEMA3OrmRaWrqgqAQf/ej8xV+nO3HVbQRCeJgCmt5ZjnogT++HHeFzXymfr1SgT XySyAqpIZB2N6MjZXtupO2sCmG6fzqtmnW+vRsZhQG8PAqzRtAekFuVbXzgkigBk 338yOdyltVBtMONnkHFQ+7EP1tfJnWLCVrJ1I42vGFLZf2AD1xhbjewCcoaK82J4 f8u9U/dxgV0N6na28WG5m6YU5Reu1Ca37PXHuqA/0XZl65DY63xaMPMDHZEi1wkU GXU7OsiL1dO0/sST1Awo5i99kVt/kA6DCGDuxTNpLrauNLOKUbtwcxvavtNZGwdQ yI9zWVx8qerWE0aO3M7zVDJftv77faV2ENiqzaadvtJHAZynW4GW7rSuP1RXFzlB DOAmzdRuIJwiLC9R2BKu3x+avReQb6xoz7eF7WthC0H0dz4mYakwPlVZ5yqYa/+G 83i951rqAGI= =g+ji -----END PGP MESSAGE-----
When the pillar is assigned to a system with [path]``top.sls``, the GPG encrypted pillar data is available in a decrypted format. [NOTE] ==== The client's in-memory cache is only updated on startup or when running execution module functions that trigger a cache refresh such as [literal]``saltutil.refresh_pillar``, [litaral]``pillar.items``, or [literal]``state.apply``. ====
suma-sles15sp1.tf.local: ---------- my-secret: t0p s3cr3t!
== Export the GPG key To export the GPG key, use the command:
gpg --export 'SUMA Salt Master' --homedir /etc/salt/gpgkeys --output suma-salt-master.gpg
Here 'SUMA Salt Master' is the name used during key generation. The [literal]```suma-salt-master.gpg``` public key can be freely shared. //For more information about GPG, see https://www.gnupg.org/documentation/.