GPG Encrypted Pillars

Salt has support to transparently decrypt GPG-encrypted Pillar data built-in. The decryption happens on the Salt Master.

1. Generate GPG keyring for Salt Master

The GPG keyring can be specified in /etc/salt/master or in its own file under /etc/salt/master.d/, for example /etc/salt/master.d/gpg-pillar.conf.

Always create a separate keyring for the Salt Master.

Procedure: Generating key pair
  1. On the Salt Master create GPG home directory and restrict its permissions:

    mkdir /etc/salt/gpgkeys
    chmod 700 /etc/salt/gpgkeys
  2. Generate a key pair interactively.

    The password must be empty.

    gpg --gen-key --homedir /etc/salt/gpgkeys
  3. Salt does not run with root permissions on SUSE Linux Enterprise and openSUSE distributions.

    chown -R salt:salt /etc/salt/gpgkeys
  4. Configure Salt Master to use the new GPG home directory

    echo 'gpg_keydir: /etc/salt/gpgkeys' >/etc/salt/master.d/gpg-pillar.conf
    systemctl reload-or-restart salt-master

2. Use GPG for encrypting Pillar secrets

Salt GPG renderer decrypts GPG encrypted contents that are ASCI-armored. To use the GPG renderer in a Pillar YAML file, change




Encrypting pillar secrets can be done anywhere as long as the GPG and the public key generated in Procedure: Generating key pair are available.

In this example, "SUMA Salt Master" is the GPG key’s UID created earlier.

echo 't0ps3cr3t' | gpg --armor --batch --encrypt --recipient "SUMA Salt Master"

When the GPG encrytped contents are created and available as ASCII-armored output, this output can be used as a multi-line string in a pillar YAML file:


  my-secret: |
    -----BEGIN PGP MESSAGE-----

    -----END PGP MESSAGE-----

When the pillar is assigned to a system with top.sls, the GPG encrypted pillar data is available in a decrypted format.

The client’s in-memory cache is only updated on startup or when running execution module functions that trigger a cache refresh such as saltutil.refresh_pillar, pillar.items, or state.apply.
        t0p s3cr3t!

3. Export the GPG key

To export the GPG key, use the command:

gpg --export 'SUMA Salt Master' --homedir /etc/salt/gpgkeys --output suma-salt-master.gpg

Here 'SUMA Salt Master' is the name used during key generation.

The suma-salt-master.gpg public key can be freely shared.