Text Blame History Raw

Secret management and encryption

For all intents and purposes you should consider this repository to be publicly accessible, so please make sure to not expose any secret information (e.g. passwords) via state and configuration files.

Secret information (e.g. passwords) are managed in an encrypted way to provide confidentiality within this repository. In particular, we're using OpenPGP.


Secrets are encrypted with OpenPGP using public-key cryptography. There are multiple recipients able to decrypt each secret, one of which is the Salt master itself using its own key (B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E).

Import of keys

In order to encrypt any secrets, you'll need to have the public keys of all other recipients available in your own keyring. The list of recipients is managed in encrypted_pillar_recipients.

You can import all keys by invoking the script bin/import_gpg_keys.sh.

In case you want to do this manually, you need to keep in mind that the public key of the Salt master is not uploaded to any public keyserver. You'll find a copy of this key in gpgkeys and can import it using the following command:

$ gpg --import gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc

Create new secrets

You can easily create new secrets using the bin/encrypt_pillar.sh script:

The script will wait for some input (i.e. the secret) and encrypt it, so that all current recipients can access it. It will then output some OpenPGP armored ASCII text block, which can then be included into any pillar as block string:


a-secret: |
  Version: GnuPG v1

  -----END PGP MESSAGE-----


Whenever changing the list of recipients (i.e. adding new keys and/or removing keys) you need to reencrypt all pillar data, so that existing secrets are reencrypted for the new list of recipients. The recommended way of doing this is to use the reencrypt_pillar.py script in the following way:

$ ./bin/reencrypt_pillar.py --recipients-file encrypted_pillar_recipients -r pillar

NOTE: Reencryption will NOT change and/or update the secrets itself. Previous recipients might still be able to decrypt old versions of the encrypted pillar (version control!), so when necessary, make sure to also change the secrets themselves.

More information & references

More information can be found here: