Configure GPG rendering in SaltStack for use with Pillar

Steps to configure a salt-master to use the GPG render module to store secrets encrypted in Pillar

1. Create a directory to store the GPG keys for the salt-master:
mkdir -p /etc/salt/gpgkeys
2. Change the permissions on this directory:
chmod 0700 /etc/salt/gpgkeys
3. Start the GPG agent:
gpg-agent --homedir=/etc/salt/gpgkeys/ --daemon
4. Generate entropy, A virtual machine typically does not have enough entropy.
salt-call pkg.install rng-tools
rngd -r /dev/urandom
5. Generate a set of GPG keys:
gpg --gen-key --homedir /etc/salt/gpgkeys
Follow the prompts:
a. 1 RSA and RSA
b. Keysize: 1024
c. 0 key does not expire
d. Real name: saltmaster
e. Email address: saltmaster@example .com
f. Comment: leave blank
g. DO NOT ENTER A PASSPHRASE → ENTER TO ACCEPT A COUPLE OF TIMES
The keys are generated
6. Verify the keys are generated:
gpg --homedir /etc/salt/gpgkeys --list-keys
7. Export the public key:
gpg --homedir /etc/salt/gpgkeys --armor --export saltmaster > /etc/salt/gpgkeys/exported_pubkey.gpg
8. Update the master.conf file:
gpg_keydir: /etc/salt/gpgkeys

 

Deploy gpg keys to the other masters.
1. Copy the exported_pubkey.gpg, pubring.gpg and the secring.gpg to each master.
2. Create a folder /etc/salt/gpgkeys
3. Make sure the owner of the keys is root: chown root *.gpg
4. Copy the keys to /etc/salt/gpgkeys
5. Set the correct permissions on the gpgkeys folder: chmod 0700 gpgkeys
6. Import the public key by rynning: gpg --import /etc/salt/gpgkeys/exported_pubkey.gpg
7. Test by running this command: gpg --homedir /etc/salt/gpgkeys --list-keys
The result should be like this:
/etc/salt/gpgkeys//pubring.gpg
------------------------------
pub 1024R/9399F6EB 2019-01-08
uid saltmaster <saltmaster@test.com>
sub 1024R/694DEB61 2019-01-08
8. To encrypt a secret using the saltmaster key, you can run: echo -n "super_secret_server_stuff" | gpg --armor --batch --trust-model always --encrypt -r saltmaster
The result should be like this:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (GNU/Linux)
hIwDvWcwx2lN62EBBADvhZIJZav92Dk97JvyLIZaOd3Q6kxDmcY1Qv0uu9QTlurc
sjYLtTKAEVwcMF858iWsQQvswMEtacto5CiJJ2xQ767/zom3Whh72ksXpte30MVO
ObS1r/IyDmbbHkVL9YJ/9VAdJeVdsTTOkkIl96xPIr4Ur9SDB2tWQBNut8Y6/tJQ
ASmAFutbAEn0oGJlSqScdoDS/bsZQqNqZMZhHAKVoF+iCLtDL/Bc/Kv9SAe57cdq
Jpi4MXG9IE+7J86amxXiF1H+MdKXzspmTdhbXkUKZWg=
=sHjL
-----END PGP MESSAGE-----

NOTE: If you run these steps on the same machine more than once, there may be a collision between duplicate gpg keys and there may be issues with unecrypting the secrets.
In this case, you may want to remove the file /root/.gnupg/pubring.gpg and re-import the exported pubkey

 

Attached Files
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Name
Email
Security Code Security Code
Related Articles RSS Feed
There are no related articles for this article.
MENU

Subscribe to Knowledge Base

Get notified when new articles are added to the knowledge base.