Blob Blame History Raw
# Secret management and encryption

**For all intents and purposes you should consider this repository to be
publicly accessible, so please make sure to not expose any secret information
(e.g. passwords) via state and configuration files.**

Secret information (e.g. passwords) are managed in an encrypted way to
provide confidentiality within this repository. In particular, we're using

## Concept

Secrets are encrypted with OpenPGP using public-key cryptography. There are
multiple recipients able to decrypt each secret, one of which is the Salt
master itself using its own key (`B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E`).

## Import of keys

In order to encrypt any secrets, you'll need to have the public keys of all
other recipients available in your own keyring. The list of recipients is
managed in `encrypted_pillar_recipients`.

You can import all keys by invoking the script `bin/`.

In case you want to do this manually, you need to keep in mind that the public
key of the Salt master is not uploaded to any public keyserver. You'll find
a copy of this key in `gpgkeys` and can import it using the following command:

$ gpg --import gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc

## Create new secrets

You can easily create new secrets using the `bin/` script:

The script will wait for some input (i.e. the secret) and encrypt it, so that
all current recipients can access it. It will then output some OpenPGP armored
ASCII text block, which can then be included into any pillar as block string:


a-secret: |
  Version: GnuPG v1

  -----END PGP MESSAGE-----

## Reencryption

Whenever changing the list of recipients (i.e. adding new keys and/or
removing keys) you need to reencrypt all pillar data, so that existing secrets
are reencrypted for the new list of recipients. The recommended way of doing
this is to use the `` script in the following way:

$ ./bin/ --recipients-file encrypted_pillar_recipients -r pillar

**NOTE**: Reencryption will **NOT** change and/or update the secrets itself.
Previous recipients might still be able to decrypt old versions of the
encrypted pillar (version control!), so when necessary, make sure to also
change the secrets themselves.

## More information & references

More information can be found here: