|
Karol Babioch |
c83c4b |
# Secret management and encryption
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
**For all intents and purposes you should consider this repository to be
|
|
Karol Babioch |
c83c4b |
publicly accessible, so please make sure to not expose any secret information
|
|
Karol Babioch |
c83c4b |
(e.g. passwords) via state and configuration files.**
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
Secret information (e.g. passwords) are managed in an encrypted way to
|
|
Karol Babioch |
c83c4b |
provide confidentiality within this repository. In particular, we're using
|
|
Karol Babioch |
c83c4b |
OpenPGP.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
The Salt master has its own OpenPGP key and needs to be able to decrypt any
|
|
Karol Babioch |
c83c4b |
secret for proper deployment. You'll find this key in the following file:
|
|
Karol Babioch |
c83c4b |
`gpg/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc`.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
You'll need to import it manually, and won't find it on any public keyserver:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
$ gpg --import gpg/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
You can then create new secrets using the following snippet:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
$ echo -n "supersecret" | gpg --armor --batch --trust-model always --encrypt -r <KEY-name>
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
`<KEY-name>` should be a OpenPGP key handle and can be listed multiple times.
|
|
Karol Babioch |
c83c4b |
For the recommended workflow (see below) you should use your own OpenPGP
|
|
Karol Babioch |
c83c4b |
key handle, so that you will be able to decrypt the secret and can reencrypt it
|
|
Karol Babioch |
c83c4b |
later on.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
The output (OpenPGP armored ASCII text) can be included into any pillar:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
#!yaml|gpg
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
a-secret: |
|
|
Karol Babioch |
c83c4b |
-----BEGIN PGP MESSAGE-----
|
|
Karol Babioch |
c83c4b |
Version: GnuPG v1
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
hQEMAweRHKaPCfNeAQf9GLTN16hCfXAbPwU6BbBK0unOc7i9/etGuVc5CyU9Q6um
|
|
Karol Babioch |
c83c4b |
QuetdvQVLFO/HkrC4lgeNQdM6D9E8PKonMlgJPyUvC8ggxhj0/IPFEKmrsnv2k6+
|
|
Karol Babioch |
c83c4b |
cnEfmVexS7o/U1VOVjoyUeliMCJlAz/30RXaME49Cpi6No2+vKD8a4q4nZN1UZcG
|
|
Karol Babioch |
c83c4b |
RhkhC0S22zNxOXQ38TBkmtJcqxnqT6YWKTUsjVubW3bVC+u2HGqJHu79wmwuN8tz
|
|
Karol Babioch |
c83c4b |
m4wBkfCAd8Eyo2jEnWQcM4TcXiF01XPL4z4g1/9AAxh+Q4d8RIRP4fbw7ct4nCJv
|
|
Karol Babioch |
c83c4b |
Gr9v2DTF7HNigIMl4ivMIn9fp+EZurJNiQskLgNbktJGAeEKYkqX5iCuB1b693hJ
|
|
Karol Babioch |
c83c4b |
FKlwHiJt5yA8X2dDtfk8/Ph1Jx2TwGS+lGjlZaNqp3R1xuAZzXzZMLyZDe5+i3RJ
|
|
Karol Babioch |
c83c4b |
skqmFTbOiA===Eqsm
|
|
Karol Babioch |
c83c4b |
-----END PGP MESSAGE-----
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
## Recommended workflow
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
The recommended workflow for creating a new secret is as follows:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
1.) Make sure to have all public keys from `encrypted_pillar_recipients`
|
|
Karol Babioch |
c83c4b |
2.) Encrypt the secret with your own public key
|
|
Karol Babioch |
c83c4b |
3.) Run the `reencrypt_pillar.py` script to re-encrypt it for all current
|
|
Karol Babioch |
c83c4b |
recipients.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
## Reencryption
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
Whenever changing the list of recipients (i.e. adding new keys and/or
|
|
Karol Babioch |
c83c4b |
removing keys) you need to reencrypt all pillar data. The recommended way
|
|
Karol Babioch |
c83c4b |
of doing this is to use the `reencrypt_pillar.py` script in the following way:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
$ ./bin/reencrypt_pillar.py --recipients-file encrypted_pillar_recipients -r pillar
|
|
Karol Babioch |
c83c4b |
```
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
To successfully run this script, you'll need to import all public keys as
|
|
Karol Babioch |
c83c4b |
referenced in `encrypted_pillar_recipients`.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
**NOTE**: Reencryption will only reencrypt the secrets in accordance with the
|
|
Karol Babioch |
c83c4b |
current list of recipients. It will **not** change and/or update the secrets
|
|
Karol Babioch |
c83c4b |
itself. Previous recipients might still be able to decrypt old versions of
|
|
Karol Babioch |
c83c4b |
the encrypted pillar (version control!), so when appropriate, make sure to
|
|
Karol Babioch |
c83c4b |
also change the secrets themselves.
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
## More information & references
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
More information can be found here:
|
|
Karol Babioch |
c83c4b |
|
|
Karol Babioch |
c83c4b |
- https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html
|
|
Karol Babioch |
c83c4b |
- https://www.gnupg.org/gph/en/manual/x110.html
|