How to use GPG encrypted YAML in your Salt configuration
Article ID: 390800
Updated On:
Products
Issue/Introduction
Some integrations with Salt, like GitFS, require storing sensitive secret data as part of the Salt master configuration in order for the Salt master to access those resources. These secrets should be stored and retrieved securely. Storing plaintext credentials for authentication poses a security risk. To mitigate this, Salt provides SDB as a mechanism aimed at retrieving secrets securely. There are multiple integrations available, but we will use GPG-encrypted YAML in this example. See the SaltProject SDB documentation for more information (See link in additional information). This guide provides a step-by-step process to encrypt the Git password and integrate it into Salt's configuration.
Environment
Aria Config - all versions
Tanzu Salt - all versions
SaltProject - all versions
Resolution
- Install dependencies.
- Install GnuGPG and RNG:
sudo yum install -y gnupg rng-tools - Start RNG daemon:
sudo systemctl start rngd sudo systemctl enable rngd
- Install GnuGPG and RNG:
- Create a phrase-less key for the Salt master.
- If a phrase-less key is not used, the phrase will need to be entered each time the Salt master is started.
- Create GPG directory.
We'll store the GPG keyring under the Salt master configuration directory to help ensure it is accessible by the Salt master.
sudo mkdir -p /etc/salt/pki/gpg sudo chown -R $(whoami):$(whoami) /etc/salt/pki/gpg sudo chmod 700 /etc/salt/pki/gpg - Create the key.
gpg --homedir=/etc/salt/pki/gpg --gen-key- Choose RSA key
- Key size 2048
- Key should not expire
- Put "Salt Master" for real name
- Leave email address blank
- No passphrase
- Find and Export the GPG Key.
Run the following command to list keys in your keyring and identify the
<key_id>:gpg --homedir=/etc/salt/pki/gpg --list-keysLook for the string after
pub(e.g.,rsa2048/1234ABCD) where1234ABCDis your<key_id>. - Export the GPG Key.
gpg --homedir=/etc/salt/pki/gpg --armor --export <key_id> > /etc/salt/pki/gpg/public.key gpg --homedir=/etc/salt/pki/gpg --armor --export-secret-key <key_id> > /etc/salt/pki/gpg/private.key - Encrypt the Git Password and Store in YAML.
echo -n "my_git_password" | gpg --homedir=/etc/salt/pki/gpg --armor --encrypt -r <key_id> - Store Encrypted Password in YAML.
Use the example content below to create a
git_secrets.yamlfile.git_password: gpg: | -----BEGIN PGP MESSAGE----- <encrypted_password_here> -----END PGP MESSAGE-----This file can live in any secure directory accessible by the Salt master. It is not a direct part of the Salt master configuration.
- Configure the GPG key integration in the Salt master configuration.
This info is probably best placed near the GitFS configuration, but can be placed in any file ending with a
.conffile extension under the/etc/salt/master.ddirectory.gpg_keydir: /etc/salt/pki/gpg gpg_keyname: <key_id> gpg_decrypt: true - Update the Salt master configuration to point to the new GPG encrypted data.
Add a configuration section similar to the following:
gpg_keydir: /etc/salt/pki/gpg gpg_keyname: <INSERT YOUR KEY NAME HERE> local-crypt: # Can be named anything the user wants, but is how the backend will be referenced driver: yaml files: - /srv/sdb/testing.yaml - /srv/sdb/git_secrets.yaml gpg: True - Configure GitFS to Use the Encrypted Password.
gitfs_remotes: - https://your.git.repo/url: - user: your_git_user - password: sdb://local-crypt/git_password # Ensure this references the SDB profile defined in the previous step - Fully stop and then start the Salt master to ensure the new configuration is loaded.
sudo systemctl stop salt-master sudo systemctl start salt-master - Verify the backend operation.
Run the following sample command to test the backend and verify that things are operating as expected:
salt-run -l debug sdb.get 'sdb://local-crypt/git_password'
Assuming the Salt master starts successfully, you now have a GPG encrypted secret that is retrievable by the Salt master.
Additional Information
Feedback
