GPG Encrypted Pillars

Salt has support to transparently decrypt GPG-encrypted Pillar data built-in. The decryption happens on the Salt Master.

1. Generate GPG keyring for Salt Master

The GPG keyring can be specified in /etc/salt/master or in its own file under /etc/salt/master.d/, for example /etc/salt/master.d/gpg-pillar.conf.

Always create a separate keyring for the Salt Master.

Procedure: Generating key pair
  1. On the Salt Master create GPG home directory and restrict its permissions:

    mkdir /etc/salt/gpgkeys
    chmod 700 /etc/salt/gpgkeys
  2. Generate a key pair interactively.

    The password must be empty.

    gpg --gen-key --homedir /etc/salt/gpgkeys
  3. Salt does not run with root permissions on SUSE Linux Enterprise and openSUSE distributions.

    chown -R salt:salt /etc/salt/gpgkeys
  4. Configure Salt Master to use the new GPG home directory

    echo 'gpg_keydir: /etc/salt/gpgkeys' >/etc/salt/master.d/gpg-pillar.conf
    systemctl reload-or-restart salt-master

2. Use GPG for encrypting Pillar secrets

Salt GPG renderer decrypts GPG encrypted contents that are ASCI-armored. To use the GPG renderer in a Pillar YAML file, change

#!yaml

3. to

#!yaml|gpg

Encrypting pillar secrets can be done anywhere as long as the GPG and the public key generated in <<proc-key-pair-generation>> are available.

In this example, "SUMA Salt Master" is the GPG key’s UID created earlier.

echo 't0ps3cr3t' | gpg --armor --batch --encrypt --recipient "SUMA Salt Master"

When the GPG encrytped contents are created and available as ASCII-armored output, this output can be used as a multi-line string in a pillar YAML file:

#!yaml|gpg

secret: my-secret: | -----BEGIN PGP MESSAGE-----

hQEMA3OrmRaWrqgqAQf/ej8xV+nO3HVbQRCeJgCmt5ZjnogT++HHeFzXymfr1SgT
XySyAqpIZB2N6MjZXtupO2sCmG6fzqtmnW+vRsZhQG8PAqzRtAekFuVbXzgkigBk
338yOdyltVBtMONnkHFQ+7EP1tfJnWLCVrJ1I42vGFLZf2AD1xhbjewCcoaK82J4
f8u9U/dxgV0N6na28WG5m6YU5Reu1Ca37PXHuqA/0XZl65DY63xaMPMDHZEi1wkU
GXU7OsiL1dO0/sST1Awo5i99kVt/kA6DCGDuxTNpLrauNLOKUbtwcxvavtNZGwdQ
yI9zWVx8qerWE0aO3M7zVDJftv77faV2ENiqzaadvtJHAZynW4GW7rSuP1RXFzlB
DOAmzdRuIJwiLC9R2BKu3x+avReQb6xoz7eF7WthC0H0dz4mYakwPlVZ5yqYa/+G
83i951rqAGI=
=g+ji
-----END PGP MESSAGE-----
When the pillar is assigned to a system with [path]``top.sls``, the GPG encrypted pillar data is available in a decrypted format.


[NOTE]
====
The client's in-memory cache is only updated on startup or when running execution module functions that trigger a cache refresh such as [literal]``saltutil.refresh_pillar``, [litaral]``pillar.items``, or [literal]``state.apply``.
====

suma-sles15sp1.tf.local: ---------- my-secret: t0p s3cr3t!

== Export the GPG key

To export the GPG key, use the command:

gpg --export 'SUMA Salt Master' --homedir /etc/salt/gpgkeys --output suma-salt-master.gpg

Here 'SUMA Salt Master' is the name used during key generation.

The [literal]```suma-salt-master.gpg``` public key can be freely shared.

//For more information about GPG, see https://www.gnupg.org/documentation/.