Karol Babioch c83c4b
# Secret management and encryption
Karol Babioch c83c4b
Karol Babioch c83c4b
**For all intents and purposes you should consider this repository to be
Karol Babioch c83c4b
publicly accessible, so please make sure to not expose any secret information
Karol Babioch c83c4b
(e.g. passwords) via state and configuration files.**
Karol Babioch c83c4b
Karol Babioch c83c4b
Secret information (e.g. passwords) are managed in an encrypted way to
Karol Babioch c83c4b
provide confidentiality within this repository. In particular, we're using
Karol Babioch c83c4b
OpenPGP.
Karol Babioch c83c4b
Karol Babioch 704651
## Concept
Karol Babioch c83c4b
Karol Babioch 704651
Secrets are encrypted with OpenPGP using public-key cryptography. There are
Karol Babioch 704651
multiple recipients able to decrypt each secret, one of which is the Salt
Karol Babioch 704651
master itself using its own key (`B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E`).
Karol Babioch c83c4b
Karol Babioch 704651
## Import of keys
Karol Babioch 704651
Karol Babioch 704651
In order to encrypt any secrets, you'll need to have the public keys of all
Karol Babioch 704651
other recipients available in your own keyring. The list of recipients is
Karol Babioch 704651
managed in `encrypted_pillar_recipients`.
Karol Babioch c83c4b
Karol Babioch 704651
You can import all keys by invoking the script `bin/import_gpg_keys.sh`.
Karol Babioch 704651
Karol Babioch 704651
In case you want to do this manually, you need to keep in mind that the public
Karol Babioch 704651
key of the Salt master is not uploaded to any public keyserver. You'll find
Karol Babioch 704651
a copy of this key in `gpgkeys` and can import it using the following command:
Karol Babioch c83c4b
Karol Babioch c83c4b
```
Karol Babioch 704651
$ gpg --import gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
Karol Babioch c83c4b
```
Karol Babioch c83c4b
Karol Babioch 704651
## Create new secrets
Karol Babioch 704651
Karol Babioch 704651
You can easily create new secrets using the `bin/encrypt_pillar.sh` script:
Karol Babioch 704651
Karol Babioch 704651
The script will wait for some input (i.e. the secret) and encrypt it, so that
Karol Babioch 704651
all current recipients can access it. It will then output some OpenPGP armored
Karol Babioch 704651
ASCII text block, which can then be included into any pillar as block string:
Karol Babioch c83c4b
Karol Babioch c83c4b
Karol Babioch c83c4b
```
Karol Babioch c83c4b
#!yaml|gpg
Karol Babioch c83c4b
Karol Babioch c83c4b
a-secret: |
Karol Babioch c83c4b
  -----BEGIN PGP MESSAGE-----
Karol Babioch c83c4b
  Version: GnuPG v1
Karol Babioch c83c4b
Karol Babioch c83c4b
  hQEMAweRHKaPCfNeAQf9GLTN16hCfXAbPwU6BbBK0unOc7i9/etGuVc5CyU9Q6um
Karol Babioch c83c4b
  QuetdvQVLFO/HkrC4lgeNQdM6D9E8PKonMlgJPyUvC8ggxhj0/IPFEKmrsnv2k6+
Karol Babioch c83c4b
  cnEfmVexS7o/U1VOVjoyUeliMCJlAz/30RXaME49Cpi6No2+vKD8a4q4nZN1UZcG
Karol Babioch c83c4b
  RhkhC0S22zNxOXQ38TBkmtJcqxnqT6YWKTUsjVubW3bVC+u2HGqJHu79wmwuN8tz
Karol Babioch c83c4b
  m4wBkfCAd8Eyo2jEnWQcM4TcXiF01XPL4z4g1/9AAxh+Q4d8RIRP4fbw7ct4nCJv
Karol Babioch c83c4b
  Gr9v2DTF7HNigIMl4ivMIn9fp+EZurJNiQskLgNbktJGAeEKYkqX5iCuB1b693hJ
Karol Babioch c83c4b
  FKlwHiJt5yA8X2dDtfk8/Ph1Jx2TwGS+lGjlZaNqp3R1xuAZzXzZMLyZDe5+i3RJ
Karol Babioch c83c4b
  skqmFTbOiA===Eqsm
Karol Babioch c83c4b
  -----END PGP MESSAGE-----
Karol Babioch c83c4b
```
Karol Babioch c83c4b
Karol Babioch c83c4b
## Reencryption
Karol Babioch c83c4b
Karol Babioch c83c4b
Whenever changing the list of recipients (i.e. adding new keys and/or
Karol Babioch 704651
removing keys) you need to reencrypt all pillar data, so that existing secrets
Karol Babioch 704651
are reencrypted for the new list of recipients. The recommended way of doing
Karol Babioch 704651
this is to use the `reencrypt_pillar.py` script in the following way:
Karol Babioch c83c4b
Karol Babioch c83c4b
```
Karol Babioch c83c4b
$ ./bin/reencrypt_pillar.py --recipients-file encrypted_pillar_recipients -r pillar
Karol Babioch c83c4b
```
Karol Babioch c83c4b
Karol Babioch 704651
**NOTE**: Reencryption will **NOT** change and/or update the secrets itself.
Karol Babioch 704651
Previous recipients might still be able to decrypt old versions of the
Karol Babioch 704651
encrypted pillar (version control!), so when necessary, make sure to also
Karol Babioch 704651
change the secrets themselves.
Karol Babioch c83c4b
Karol Babioch c83c4b
## More information & references
Karol Babioch c83c4b
Karol Babioch c83c4b
More information can be found here:
Karol Babioch c83c4b
Karol Babioch c83c4b
- https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html
Karol Babioch c83c4b
- https://www.gnupg.org/gph/en/manual/x110.html