Saltmaster - Pillar encryption with gpg
To use encrypted pillars is useful if you want to backup your salt configuration and you do not want that passwords will be leaked in any way.
So lets get started!
Generate the keys on saltmaster
# mkdir -p /etc/salt/gpgkeys
# chmod 0700 /etc/salt/gpgkeys
# gpg --gen-key --homedir /etc/salt/gpgkeys
Name the certificate like the hostname (i.e. saltmaster). You will need it later again.
Important if saltmaster do not run as root!!
# chown salt:salt /etc/salt/gpgkeys
# chown salt:salt -R /etc/salt/gpgkeys/*
You can export the private key for backup if you want:
# gpg --homedir /etc/salt/gpgkeys --export-secret-keys --armor > exported_private.key
Now export the public key:
# gpg --homedir /etc/salt/gpgkeys --armor --export > /etc/salt/gpgkeys/exported_pubkey.gpg
Reimport the public key:
# gpg --import /etc/salt/gpgkeys/exported_pubkey.gpg
Thats the way how you should encrypt the passwords or other secret data:
# echo -n 'secretPassword' | gpg --armor --batch --trust-model always --encrypt -r "saltmaster"
And this how filecontent should be encrypted:
# cat someSecurePrivate.key | gpg --armor --encrypt -r "saltmaster"
In the pillar sls file you have to add the following line to the top:
#!yaml|gpg
Then you have to add the PGP output to the pillar file:
super-secret-password: |
-----BEGIN PGP MESSAGE-----
hQGMA2fHRZW0xyn3AQwAnwDdFHFjCrF42HhMtWH4QhkBWmgYPjBPLsFDLZMB+jB2
pIh6i398BFoGH8sUGvHhNE2W469KL6U3/FdP3Lr6s1kctsUszB8DxSctS2YVPGTp
vZTG3Em3B4LBIU8kUYSB3LRSPw+8l/B6ZHdpSV4DRXw0GSk8SKn5zLBBos9RF9RV
1uVPI0KmFtP+tzYLhwz0f8eKIoiVogXB2JOp1blfUGTeUXrtTveVbNFwRTmsV86N
oGtLMwrZvZ+5IMARWPnbYnHJc3QQUkCs5mwbl1Kxhd6ie6snxHtLgLdXebm6OKoF
PDuPjcxHh++L6r2YbHIwW3mV5HVKtnkhjMnXyJklykop2cdF2tPl7gJEUS7JrR6x
x3wZ73MnX6q8APaUxLUD+MV947OEhJtisquFnjWlC0D0YgDUd01mfc2AXAe/LUuL
lJnLt7/97/Ihj8efoFoAPpmKPqrYXCFaoWPlGXo3EevliFQhJ6WUEJ4TKYXk1vNI
r26HWyJRgn++cA6gQtdQ0koB6PnKEmpZEFRoCUoZo6TplyZJF3xPsDwrUkGMWsd0
SZksZXNiEcS4vDQCrL0HMA6rtO1HvhaMViQTiP93oZx14cLo/UdDMkKLYA==
=iPfq
-----END PGP MESSAGE-----
You can check if it is working:
salt 'saltmaster' pillar.items