How to prevent passwords leaking when using pillar data of salt.
search cancel

How to prevent passwords leaking when using pillar data of salt.

book

Article ID: 380125

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:

  • During the automated Server Deployment passwords are made available to the salt-minion via pillar data.
  • However these passwords can be accessed once the deployment completed when using salt-call pillar.data

Environment

Salt Project

Resolution

To avoid the exposure of passwords in Salt Pillar data there are different approaches:

  1. Using Pillar Encryption data can be stored encrypted, however a decryption is still possible
  2. Storing data in other databases
  3. Only exposure the password in pillar data to the exposed server while the server is in build phase and have it removed once the build process completed.