-
Notifications
You must be signed in to change notification settings - Fork 3
Setting up a Salt Master with GPG for secure pillar
The Salt Stack pillar typically holds values which are used by Salt States as parameters, like config file values that are used in jinja templates and stuff like that. The problem is that if you want to store secrets (passwords, API keys, etc.), they will be in plain text in your repository. What would be ideal is if we could keep the secrets secret in the repo, but available to the running salt master.
Salt Stack has the ability to render PGP data, which allows you to encrypt your secrets and keep the encrypted values in pillar, where they can be safely stored in a repository without giving anything away.
The Salt Master has to have a GnuPG home directory set up with a secret key. The strength of the key can have a performance effect when there are a large number of minions, so if you have a large number of hosts a key size of 2048 is recommended, otherwise a key size 4096 can be used.
$ mkdir -p /tmp/gpgkeys
$ chmod 0700 /tmp/gpgkeys
$ cd /tmp/gpgkeys
$ gpg --gen-key --homedir /tmp/gpgkeys
$ gpg --homedir /tmp/gpgkeys --expert --armor --export > salt_pubkey.asc
$ gpg --homedir /tmp/gpgkeys --expert --armor --export-secret-key > salt_seckey.asc
$ cd ../
$ tar czvf gpgkeys.tgz gpgkeysThis creates a tarball containing a gnupg directory suitable for use with the salt master. Un-tarring in /etc/salt/ should result in a /etc/salt/gpgkeys directory.
The salt_pubkey.asc can be distributed to anyone who needs to be able to encrypt secrets. The salt_seckey.asc file should only be accessible to trusted parties who need to able to decrypt secrets.
Once the gpgkeys directory is in place on the salt master the salt-master service needs to be restarted.
# service salt-master restartIf everything works as it should and you have encrypted data in your pillar you should be able to see un-encrypted values when you look at the pillar values from the master:
# salt '<minion-id-here>' pillar.items