|
Karol Babioch |
c83c4b |
# Secret management and encryption
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
**For all intents and purposes you should consider this repository to be
|
|
Karol Babioch |
c83c4b |
publicly accessible, so please make sure to not expose any secret information
|
|
Karol Babioch |
c83c4b |
(e.g. passwords) via state and configuration files.**
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
Secret information (e.g. passwords) are managed in an encrypted way to
|
|
Karol Babioch |
c83c4b |
provide confidentiality within this repository. In particular, we're using
|
|
Karol Babioch |
c83c4b |
OpenPGP.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
704651 |
## Concept
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
704651 |
Secrets are encrypted with OpenPGP using public-key cryptography. There are
|
|
Karol Babioch |
704651 |
multiple recipients able to decrypt each secret, one of which is the Salt
|
|
Karol Babioch |
704651 |
master itself using its own key (`B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E`).
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
704651 |
## Import of keys
|
|
Karol Babioch |
704651 |
|
|
Karol Babioch |
704651 |
In order to encrypt any secrets, you'll need to have the public keys of all
|
|
Karol Babioch |
704651 |
other recipients available in your own keyring. The list of recipients is
|
|
Karol Babioch |
704651 |
managed in `encrypted_pillar_recipients`.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
704651 |
You can import all keys by invoking the script `bin/import_gpg_keys.sh`.
|
|
Karol Babioch |
704651 |
|
|
Karol Babioch |
704651 |
In case you want to do this manually, you need to keep in mind that the public
|
|
Karol Babioch |
704651 |
key of the Salt master is not uploaded to any public keyserver. You'll find
|
|
Karol Babioch |
704651 |
a copy of this key in `gpgkeys` and can import it using the following command:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
704651 |
$ gpg --import gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
704651 |
## Create new secrets
|
|
Karol Babioch |
704651 |
|
|
Karol Babioch |
704651 |
You can easily create new secrets using the `bin/encrypt_pillar.sh` script:
|
|
Karol Babioch |
704651 |
|
|
Karol Babioch |
704651 |
The script will wait for some input (i.e. the secret) and encrypt it, so that
|
|
Karol Babioch |
704651 |
all current recipients can access it. It will then output some OpenPGP armored
|
|
Karol Babioch |
704651 |
ASCII text block, which can then be included into any pillar as block string:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
#!yaml|gpg
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
a-secret: |
|
|
Karol Babioch |
c83c4b |
-----BEGIN PGP MESSAGE-----
|
|
Karol Babioch |
c83c4b |
Version: GnuPG v1
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
hQEMAweRHKaPCfNeAQf9GLTN16hCfXAbPwU6BbBK0unOc7i9/etGuVc5CyU9Q6um
|
|
Karol Babioch |
c83c4b |
QuetdvQVLFO/HkrC4lgeNQdM6D9E8PKonMlgJPyUvC8ggxhj0/IPFEKmrsnv2k6+
|
|
Karol Babioch |
c83c4b |
cnEfmVexS7o/U1VOVjoyUeliMCJlAz/30RXaME49Cpi6No2+vKD8a4q4nZN1UZcG
|
|
Karol Babioch |
c83c4b |
RhkhC0S22zNxOXQ38TBkmtJcqxnqT6YWKTUsjVubW3bVC+u2HGqJHu79wmwuN8tz
|
|
Karol Babioch |
c83c4b |
m4wBkfCAd8Eyo2jEnWQcM4TcXiF01XPL4z4g1/9AAxh+Q4d8RIRP4fbw7ct4nCJv
|
|
Karol Babioch |
c83c4b |
Gr9v2DTF7HNigIMl4ivMIn9fp+EZurJNiQskLgNbktJGAeEKYkqX5iCuB1b693hJ
|
|
Karol Babioch |
c83c4b |
FKlwHiJt5yA8X2dDtfk8/Ph1Jx2TwGS+lGjlZaNqp3R1xuAZzXzZMLyZDe5+i3RJ
|
|
Karol Babioch |
c83c4b |
skqmFTbOiA===Eqsm
|
|
Karol Babioch |
c83c4b |
-----END PGP MESSAGE-----
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
## Reencryption
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
Whenever changing the list of recipients (i.e. adding new keys and/or
|
|
Karol Babioch |
704651 |
removing keys) you need to reencrypt all pillar data, so that existing secrets
|
|
Karol Babioch |
704651 |
are reencrypted for the new list of recipients. The recommended way of doing
|
|
Karol Babioch |
704651 |
this is to use the `reencrypt_pillar.py` script in the following way:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
$ ./bin/reencrypt_pillar.py --recipients-file encrypted_pillar_recipients -r pillar
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
704651 |
**NOTE**: Reencryption will **NOT** change and/or update the secrets itself.
|
|
Karol Babioch |
704651 |
Previous recipients might still be able to decrypt old versions of the
|
|
Karol Babioch |
704651 |
encrypted pillar (version control!), so when necessary, make sure to also
|
|
Karol Babioch |
704651 |
change the secrets themselves.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
## More information & references
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
More information can be found here:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
- https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html
|
|
Karol Babioch |
c83c4b |
- https://www.gnupg.org/gph/en/manual/x110.html
|