How to use GPG encrypted YAML in your Salt configuration
search cancel

How to use GPG encrypted YAML in your Salt configuration

book

Article ID: 390800

calendar_today

Updated On: 03-13-2025

Products

VMware Aria Suite

Issue/Introduction

Some integrations with Salt, like GitFS, require storing sensitive secret data as part of the Salt master configuration in order for the Salt master to access those resources. These secrets should be stored and retrieved securely. Storing plaintext credentials for authentication poses a security risk. To mitigate this, Salt provides SDB as a mechanism aimed at retrieving secrets securely. There are multiple integrations available, but we will use GPG-encrypted YAML in this example. See the SaltProject SDB documentation for more information (See link in additional information). This guide provides a step-by-step process to encrypt the Git password and integrate it into Salt's configuration.

Environment

Aria Config - all versions

Tanzu Salt - all versions

SaltProject - all versions

Resolution

  1. Install dependencies
    1. Install GnuGPG and RNG
      1. sudo yum install -y gnupg rng-tools
    2. Start RNG daemon
      1. sudo systemctl start rngd
      2. sudo systemctl enable rngd
  2. Create a phrase-less key for the Salt master
    1. If a phrase-less key is not used, then the phrase will. need to be entered each time the Salt master is started
    2. Create GPG directory
      1. We'll store the GPG keyring under the Salt master configuration directory to help ensure it is accessible by the Salt master
      2. sudo mkdir -p /etc/salt/pki/gpg
      3. sudo chown -R $(whoami):$(whoami) /etc/salt/pki/gpg
      4. sudo chmod 700 /etc/salt/pki/gpg
    3. Create the key
      1. gpg --homedir=/etc/salt/pki/gpg --gen-key
      2. Choose RSA key
      3. key size 2048
      4. Key should not expire
      5. Put "Salt Master" for real name
      6. Leave email address blank
      7. No passphrase
    4. Find and Export the GPG Key
      1. Run the following command to list keys in your keyring and identify the <key_id>:
        1. gpg --homedir=/etc/salt/pki/gpg --list-keys
        2. Look for the string after pub (e.g., rsa2048/1234ABCD) where 1234ABCD is your <key_id>.
    5. Export the GPG Key
      1. gpg --homedir=/etc/salt/pki/gpg --armor --export <key_id> > /etc/salt/pki/gpg/public.key
      2. gpg --homedir=/etc/salt/pki/gpg --armor --export-secret-key <key_id> > /etc/salt/pki/gpg/private.key
    6. Encrypt the Git Password and Store in YAML
      1. echo -n "my_git_password" | gpg --homedir=/etc/salt/pki/gpg --armor --encrypt -r <key_id>
    7. Store Encrypted Password in YAML
      1. Use the example content below to create a git_secrets.yaml file
        1. git_password:
            gpg: |
              -----BEGIN PGP MESSAGE-----
              <encrypted_password_here>
              -----END PGP MESSAGE-----
        2. This file can live in any secure directory accessible by the Salt master. It is not a direct part of the Salt master configuration. 
    8. Configure the SDB backend in the Salt master configuration. This info is probably best placed near the GitFS configuration, but can be placed in any file ending with a .conf file extension under the /etc/salt/master.d directory
      1. sdb:
          gpg:
            gpg_keydir: /etc/salt/pki/gpg
            gpg_keyname: <key_id>
            gpg_decrypt: true
    9. 5. Configure GitFS to Use the Encrypted Password
      1. gitfs_remotes:
          - https://your.git.repo/url:
            - user: your_git_user
            - password: sdb://git_password  # This is the important bit here to get your configuration to read from SDB
    10. Restart the Salt master

Assuming the Salt master starts successfully, you now have a GPG encrypted secret that is retrievable by the Salt master.

Additional Information

Powered by Wolken Software