GPG Encrypted Pillars

Salt has support to transparently decrypt GPG-encrypted Pillar data built-in. The decryption happens on the Salt Master during Pillar rendering.

1. Generate GPG keyring for Salt Master

The GPG keyring can be specified in /etc/salt/master or in its own file under /etc/salt/master.d/, for example /etc/salt/master.d/gpg-pillar.conf.

Always create a separate keyring for the Salt Master.

Procedure: Generating key pair

  1. On the Salt Master create GPG home directory and restrict its permissions:

    mkdir /etc/salt/gpgkeys
chmod 700 /etc/salt/gpgkeys

  2. Generate a key pair interactively.

    The password must be empty.

    		 
    gpg --gen-key --homedir /etc/salt/gpgkeys

  3. Salt does not run with root permissions on SUSE Linux Enterprise and openSUSE distributions.

    chown -R salt:salt /etc/salt/gpgkeys

  4. Configure Salt Master to use the new GPG home directory

    echo 'gpg_keydir: /etc/salt/gpgkeys' >/etc/salt/master.d/gpg-pillar.conf
systemctl reload-or-restart salt-master

2. Use GPG for encrypting Pillar secrets

Salt’s GPG renderer decrypts GPG encrypted contents that are ASCII-armored. To use the GPG renderer in a single Pillar YAML file, change

#!jinja|yaml

to

#!jinja|yaml|gpg

To use Salt’s GPG renderer globally, including for Custom System Information, configure Salt Master as follows

cat >/etc/salt/master.d/z-gpg-pillar.conf <<EOF
ext_pillar:
  - gpg: True
EOF

The filename should have a z- prefix to ensure the GPG renderer runs after other configured pillar renderers.

Encrypting pillar secrets can be done anywhere as long as the GPG and the public key generated in Procedure: Generating key pair are available.

In this example, "MLM Salt Master" is the GPG key’s UID created earlier.

echo 't0ps3cr3t' | gpg --armor --batch --encrypt --recipient "MLM Salt Master"

When the GPG encrytped contents are created and available as ASCII-armored output, this output can be used as a multi-line string in a pillar YAML file:

#!yaml|gpg

secret:
  my-secret: |
    -----BEGIN PGP MESSAGE-----

    hQEMA3OrmRaWrqgqAQf/ej8xV+nO3HVbQRCeJgCmt5ZjnogT++HHeFzXymfr1SgT
    XySyAqpIZB2N6MjZXtupO2sCmG6fzqtmnW+vRsZhQG8PAqzRtAekFuVbXzgkigBk
    338yOdyltVBtMONnkHFQ+7EP1tfJnWLCVrJ1I42vGFLZf2AD1xhbjewCcoaK82J4
    f8u9U/dxgV0N6na28WG5m6YU5Reu1Ca37PXHuqA/0XZl65DY63xaMPMDHZEi1wkU
    GXU7OsiL1dO0/sST1Awo5i99kVt/kA6DCGDuxTNpLrauNLOKUbtwcxvavtNZGwdQ
    yI9zWVx8qerWE0aO3M7zVDJftv77faV2ENiqzaadvtJHAZynW4GW7rSuP1RXFzlB
    DOAmzdRuIJwiLC9R2BKu3x+avReQb6xoz7eF7WthC0H0dz4mYakwPlVZ5yqYa/+G
    83i951rqAGI=
    =g+ji
    -----END PGP MESSAGE-----

When the pillar is assigned to a system with top.sls, the GPG encrypted pillar data is available in a decrypted format.

The client’s in-memory cache is only updated on startup or when running execution module functions that trigger a cache refresh such as saltutil.refresh_pillar, pillar.items, or state.apply.

 
MLM-sles15sp1.tf.local:
    ----------
    my-secret:
        t0p s3cr3t!

3. Export the GPG key

To export the GPG key, use the command:

gpg --export 'MLM Salt Master' --homedir /etc/salt/gpgkeys --output MLM-salt-master.gpg

Here 'MLM Salt Master' is the name used during key generation.

The MLM-salt-master.gpg public key can be freely shared.