From 827e01001a6de69806faf9d72cf4d7e75242c301 Mon Sep 17 00:00:00 2001
From: Karol Babioch <karol@babioch.de>
Date: Jan 25 2020 22:48:44 +0000
Subject: Merge branch 'update-readme-secret' into 'production'


Document processes and workflows to manage secrets

See merge request infra/salt!318
---

diff --git a/ENCRYPTION.md b/ENCRYPTION.md
new file mode 100644
index 0000000..9b35394
--- /dev/null
+++ b/ENCRYPTION.md
@@ -0,0 +1,81 @@
+# Secret management and encryption
+
+**For all intents and purposes you should consider this repository to be
+publicly accessible, so please make sure to not expose any secret information
+(e.g. passwords) via state and configuration files.**
+
+Secret information (e.g. passwords) are managed in an encrypted way to
+provide confidentiality within this repository. In particular, we're using
+OpenPGP.
+
+## Concept
+
+Secrets are encrypted with OpenPGP using public-key cryptography. There are
+multiple recipients able to decrypt each secret, one of which is the Salt
+master itself using its own key (`B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E`).
+
+## Import of keys
+
+In order to encrypt any secrets, you'll need to have the public keys of all
+other recipients available in your own keyring. The list of recipients is
+managed in `encrypted_pillar_recipients`.
+
+You can import all keys by invoking the script `bin/import_gpg_keys.sh`.
+
+In case you want to do this manually, you need to keep in mind that the public
+key of the Salt master is not uploaded to any public keyserver. You'll find
+a copy of this key in `gpgkeys` and can import it using the following command:
+
+```
+$ gpg --import gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
+```
+
+## Create new secrets
+
+You can easily create new secrets using the `bin/encrypt_pillar.sh` script:
+
+The script will wait for some input (i.e. the secret) and encrypt it, so that
+all current recipients can access it. It will then output some OpenPGP armored
+ASCII text block, which can then be included into any pillar as block string:
+
+
+```
+#!yaml|gpg
+
+a-secret: |
+  -----BEGIN PGP MESSAGE-----
+  Version: GnuPG v1
+
+  hQEMAweRHKaPCfNeAQf9GLTN16hCfXAbPwU6BbBK0unOc7i9/etGuVc5CyU9Q6um
+  QuetdvQVLFO/HkrC4lgeNQdM6D9E8PKonMlgJPyUvC8ggxhj0/IPFEKmrsnv2k6+
+  cnEfmVexS7o/U1VOVjoyUeliMCJlAz/30RXaME49Cpi6No2+vKD8a4q4nZN1UZcG
+  RhkhC0S22zNxOXQ38TBkmtJcqxnqT6YWKTUsjVubW3bVC+u2HGqJHu79wmwuN8tz
+  m4wBkfCAd8Eyo2jEnWQcM4TcXiF01XPL4z4g1/9AAxh+Q4d8RIRP4fbw7ct4nCJv
+  Gr9v2DTF7HNigIMl4ivMIn9fp+EZurJNiQskLgNbktJGAeEKYkqX5iCuB1b693hJ
+  FKlwHiJt5yA8X2dDtfk8/Ph1Jx2TwGS+lGjlZaNqp3R1xuAZzXzZMLyZDe5+i3RJ
+  skqmFTbOiA===Eqsm
+  -----END PGP MESSAGE-----
+```
+
+## Reencryption
+
+Whenever changing the list of recipients (i.e. adding new keys and/or
+removing keys) you need to reencrypt all pillar data, so that existing secrets
+are reencrypted for the new list of recipients. The recommended way of doing
+this is to use the `reencrypt_pillar.py` script in the following way:
+
+```
+$ ./bin/reencrypt_pillar.py --recipients-file encrypted_pillar_recipients -r pillar
+```
+
+**NOTE**: Reencryption will **NOT** change and/or update the secrets itself.
+Previous recipients might still be able to decrypt old versions of the
+encrypted pillar (version control!), so when necessary, make sure to also
+change the secrets themselves.
+
+## More information & references
+
+More information can be found here:
+
+- https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html
+- https://www.gnupg.org/gph/en/manual/x110.html
diff --git a/bin/get_gpg_keys.sh b/bin/get_gpg_keys.sh
deleted file mode 100755
index d4ec7ad..0000000
--- a/bin/get_gpg_keys.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-# Imports the other admins' plus the salt master/syndic's GPG keys into the
-# local keyring, and opens the trust menu in order to trust them ultimately
-
-RECIPIENTS=( $(egrep '^\s*0x' encrypted_pillar_recipients) )
-SALTMASTER_KEYS_PATH="salt/profile/salt/files/etc/salt/gpgkeys"
-
-for key in $(ls $SALTMASTER_KEYS_PATH); do
-    gpg --import ${SALTMASTER_KEYS_PATH}/${key}
-done
-
-for recipient in ${RECIPIENTS[@]}; do
-    gpg --recv-key $recipient
-    gpg --edit-key $recipient trust save
-done
diff --git a/bin/import_gpg_keys.sh b/bin/import_gpg_keys.sh
new file mode 100755
index 0000000..6d909ee
--- /dev/null
+++ b/bin/import_gpg_keys.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Imports the other admins' plus the salt master/syndic's GPG keys into the
+# local keyring, and opens the trust menu in order to trust them ultimately
+
+RECIPIENTS=( $(egrep '^\s*0x' encrypted_pillar_recipients) )
+SALTMASTER_KEYS_PATH="gpgkeys"
+
+for key in $(ls $SALTMASTER_KEYS_PATH); do
+    gpg --import ${SALTMASTER_KEYS_PATH}/${key}
+done
+
+for recipient in ${RECIPIENTS[@]}; do
+    gpg --recv-key $recipient
+    gpg --edit-key $recipient trust save
+done
diff --git a/gpg/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc b/gpg/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
deleted file mode 100644
index b671a0d..0000000
--- a/gpg/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
+++ /dev/null
@@ -1,52 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFn4ZSYBEADSaJ/whxLgtOk876vtmQyjyJ2Ql1Ba4N8D6XirJTqXug6082ER
-GzIv1q7Eub0v99242BourmhL1rlQkLGIMY9bAFeB+0gkzQjnetS2+c9+5S/AyFSP
-oCGoaRXvFFUn9SaS9d4OxZ6QYKId1Qm2NkyL+spByqvW4j30QzrBJZFckEpTC7ky
-4UwSFuLIOISXRcBWdmu/uhRLLOB24oWC0Fhj7Tns9oX8MhntbzbrRdO3CyN5M6Oj
-PNs6a0U8PTsB9IY/cl5ZOWYGPW7Zi4WZOcc+jzQtryUWRU2eWsA3fOoLUqnwrBxM
-T58M9quVN7dROAvNG0vwkFWsrT7LqfuZscnCdtq5kmm3mhBnxI5F92L0NQg+Ljfa
-SxtYPd0V3D3TVUs6wqHT7sBY/w7ulQfzNPLCw/w5mhFfzmVN9HbzNsZhEh5yHtAw
-tQCOknDDHE1D9vs34DO4d9t3Advsu8OM+Nuv6LL51M/Gj05nkqQ/4j6bQDBWgtp9
-Uyx+rhRSRnUvom4m8xnKtgK76vYJxiW5RJq40BBXpOiAzL3gaXXFpr7JEi6iNjgE
-kT/i7f29M0VE82kRD6y2SSPg6ld9m4Kc+fP891LaYrw7VBv4TRcrHlvoNEK2jtk6
-er2m1QVnCxD6b4WhR/6LTTE9SmQuDsrZtOO+OlAde8R+bffyBkskvu9xtQARAQAB
-tDJNaW5uaWUgU2FsdE1hc3RlciA8cm9vdEBtaW5uaWUuaW5mcmEub3BlbnN1c2Uu
-b3JnPokCVgQTAQIAQAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAFiEEudRb
-Q2bGnI11yjoI8cM7ehNG9I4FAl3oNEUFCQeyNh8ACgkQ8cM7ehNG9I7Yww/9G8ku
-Z5omour1TIW4rU0GKYny0xQO94vO/LezkYe5/WqHgBecbqgHzDbjhhLedjGM1JOJ
-UcaStzQ/dClvChuHqZ5EEubxw9ZXkRQbQ5VXfH94s7vzKNOUsPDGyYEuqr5uBo00
-GVvEjP9n6h2++0Uk3j/XuMVbekofuYfifArGj6HLdqTPZhKAWVbzrK9S9HcCzTZt
-W9Ehc7NwUH7ehLUVdnML9GK9RY747Giwurj85kEZWDzPUkDe/9TCezZUtD8ST1tZ
-+0OnkhuiZHqTASZDbCSfIUlqe8MWmheN10CfCDjD2t8EyRljpUX0UXhjPL6G+Ap7
-WaeMGIzeUPxpic0cO57LRgz2+LTuuTEOJAs5auI6QM9tB6BeCZY9Y1xgeO55Ygrq
-oFuKL4Um55wK08KbWZcbupuArPz1C9tFbwPja2wpwo/yxrihzlijl76hInRZkhPY
-JMhaVy75lvpNy28Ts05JrCd+cESy33bUzzbppcn8RimcM8vhLuCF+vFThu7hchKf
-z7P0o1LpBNSU+8cgeZJfMCR62vSYcGtr3rDvrOE7Xten2xNzwEiEQ11s7sKoCPFC
-ba6kDrkyP3txfY1OuM4BA4f8hd8ACC3F5sKqx3lp+J59KKPjVz9pLceup25Vlw2p
-+FJyzefb96t2I+QeHV5ZpHR9Uk6W82l1aXbGirS5Ag0EWfhlJgEQALvR7M+9DqGT
-mI4z27xjYs/bUet5Cm/4XdXiX47PkXm3rH5Rk3QpatJ1nThKy8+pc3gYtYmMRGii
-E34kUwv1ATn5FtkdD+b4kVt7Of/bfomhKm05VcECnoJd4Wj8LNWqRfGUrz8KFPdh
-nUl1OtfF8srePkvFILuxNbVL9aztAnviy/qj12FK6k9e7fMreGkjP/LO4rpwbxha
-3Kv43qC+AtIAIrvVl2acu2IiAoTXPvcTHhw8RYw/XXXxWc+8BhgFq+nLCEqAFr+g
-UoLhCG1lNVDgh4gHyn/F7slMqkA7fg5xM/so6jARjtREycDtxMun9Oabk8ptt7Ad
-ql7kMVhB4ZPEdjpDmE52vz3dKz+WzM5RLSVsfSeampCSPyl/RRldLyaZEaTXgVKV
-ZwMVjAbm0XtSQPAJSGDSu3r/Qb5204TNs9MDfp0tikX5pP4s3cnF3b6xhNaiVMKb
-stDI1I/iCmJF4SZabI/SotL8mF7o+piafXe0Y05tVGlXmB0XMboXE8UkHXa+fvJm
-cZj2MPEVvVvK7mRMlh4D3K0kme94/zdgyScahXDoHd8kWjaN9P6jo6Svcr7RC9qp
-RN9dbXA/YUwvp0Qq1+dwDSs4+Y+CACZRR3ZeVGRb30EIWA72S4l26PLRK4QdUaWQ
-vm+2vYJ1yDOsIb0/yAIwOKmqM0kR686ZABEBAAGJAjwEGAECACYCGwwWIQS51FtD
-ZsacjXXKOgjxwzt6E0b0jgUCXeg0UQUJB7I2KwAKCRDxwzt6E0b0joSwEACS8wEk
-eY3uY7IBSL4bkiZI5+CfyoLsmcM6kb4febWmyPSQQxTQfpBDmt0myIG4lKppx7No
-pJnfbVcdsO0yFCeBYpHrJAPAdilUOcOj7Mi91yD+l5wAOI5eZGcIeRDprR0rivds
-w8eU7QkNOBwIaugVl3OuWNgjJfxpIGEhBkvoEkJdMHg35AI0+Y0D9sGOtY8JZEwz
-dPcPaQhlS2JDR5JRGrbyuyMvOxUnwpEZvKH4jzPzAyHS9FLA7qlLrT81XRTJC+8i
-lVxf9qb7YCE4SA1VnruKfD0RdtJG273GKijYZRyjbkwuRFBqPm6n3AOUEUDIzFBu
-7i7Mo3NDnn7fhm5y6FZzqL5nNhl0nr+0pfq3SGb+iCgJ9oFiEkBUdasjcfUvgR5S
-M6sntI4RTqJxt+OflHq/XUvkkV8pceucWKL8yKpUgN/UScZKbq6rLywQblLS2/dk
-jKhsMqh86F9x1+wgHXKTYLQ3VgADG5a0WxhJ6TsaJmePMHdWVMmOMwRCvh39Ray8
-SuD6HfVgExapTentK28JX43dQ8v5sSBK0ElcbQAGi40faS0LNB0TGNdA2bQfdxsq
-REibpEl+JPnWro8LgEkjFLyzQt7e98F8kGk7bgDbbSGk4cmoIm7Mo2Q5Abx35L9P
-fam0vPWERQTD0B9lpzEKF102fGITSxbOPttYLw==
-=8AIX
------END PGP PUBLIC KEY BLOCK-----
diff --git a/gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc b/gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
new file mode 100644
index 0000000..b671a0d
--- /dev/null
+++ b/gpgkeys/B9D45B4366C69C8D75CA3A08F1C33B7A1346F48E.gpg.asc
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFn4ZSYBEADSaJ/whxLgtOk876vtmQyjyJ2Ql1Ba4N8D6XirJTqXug6082ER
+GzIv1q7Eub0v99242BourmhL1rlQkLGIMY9bAFeB+0gkzQjnetS2+c9+5S/AyFSP
+oCGoaRXvFFUn9SaS9d4OxZ6QYKId1Qm2NkyL+spByqvW4j30QzrBJZFckEpTC7ky
+4UwSFuLIOISXRcBWdmu/uhRLLOB24oWC0Fhj7Tns9oX8MhntbzbrRdO3CyN5M6Oj
+PNs6a0U8PTsB9IY/cl5ZOWYGPW7Zi4WZOcc+jzQtryUWRU2eWsA3fOoLUqnwrBxM
+T58M9quVN7dROAvNG0vwkFWsrT7LqfuZscnCdtq5kmm3mhBnxI5F92L0NQg+Ljfa
+SxtYPd0V3D3TVUs6wqHT7sBY/w7ulQfzNPLCw/w5mhFfzmVN9HbzNsZhEh5yHtAw
+tQCOknDDHE1D9vs34DO4d9t3Advsu8OM+Nuv6LL51M/Gj05nkqQ/4j6bQDBWgtp9
+Uyx+rhRSRnUvom4m8xnKtgK76vYJxiW5RJq40BBXpOiAzL3gaXXFpr7JEi6iNjgE
+kT/i7f29M0VE82kRD6y2SSPg6ld9m4Kc+fP891LaYrw7VBv4TRcrHlvoNEK2jtk6
+er2m1QVnCxD6b4WhR/6LTTE9SmQuDsrZtOO+OlAde8R+bffyBkskvu9xtQARAQAB
+tDJNaW5uaWUgU2FsdE1hc3RlciA8cm9vdEBtaW5uaWUuaW5mcmEub3BlbnN1c2Uu
+b3JnPokCVgQTAQIAQAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAFiEEudRb
+Q2bGnI11yjoI8cM7ehNG9I4FAl3oNEUFCQeyNh8ACgkQ8cM7ehNG9I7Yww/9G8ku
+Z5omour1TIW4rU0GKYny0xQO94vO/LezkYe5/WqHgBecbqgHzDbjhhLedjGM1JOJ
+UcaStzQ/dClvChuHqZ5EEubxw9ZXkRQbQ5VXfH94s7vzKNOUsPDGyYEuqr5uBo00
+GVvEjP9n6h2++0Uk3j/XuMVbekofuYfifArGj6HLdqTPZhKAWVbzrK9S9HcCzTZt
+W9Ehc7NwUH7ehLUVdnML9GK9RY747Giwurj85kEZWDzPUkDe/9TCezZUtD8ST1tZ
++0OnkhuiZHqTASZDbCSfIUlqe8MWmheN10CfCDjD2t8EyRljpUX0UXhjPL6G+Ap7
+WaeMGIzeUPxpic0cO57LRgz2+LTuuTEOJAs5auI6QM9tB6BeCZY9Y1xgeO55Ygrq
+oFuKL4Um55wK08KbWZcbupuArPz1C9tFbwPja2wpwo/yxrihzlijl76hInRZkhPY
+JMhaVy75lvpNy28Ts05JrCd+cESy33bUzzbppcn8RimcM8vhLuCF+vFThu7hchKf
+z7P0o1LpBNSU+8cgeZJfMCR62vSYcGtr3rDvrOE7Xten2xNzwEiEQ11s7sKoCPFC
+ba6kDrkyP3txfY1OuM4BA4f8hd8ACC3F5sKqx3lp+J59KKPjVz9pLceup25Vlw2p
++FJyzefb96t2I+QeHV5ZpHR9Uk6W82l1aXbGirS5Ag0EWfhlJgEQALvR7M+9DqGT
+mI4z27xjYs/bUet5Cm/4XdXiX47PkXm3rH5Rk3QpatJ1nThKy8+pc3gYtYmMRGii
+E34kUwv1ATn5FtkdD+b4kVt7Of/bfomhKm05VcECnoJd4Wj8LNWqRfGUrz8KFPdh
+nUl1OtfF8srePkvFILuxNbVL9aztAnviy/qj12FK6k9e7fMreGkjP/LO4rpwbxha
+3Kv43qC+AtIAIrvVl2acu2IiAoTXPvcTHhw8RYw/XXXxWc+8BhgFq+nLCEqAFr+g
+UoLhCG1lNVDgh4gHyn/F7slMqkA7fg5xM/so6jARjtREycDtxMun9Oabk8ptt7Ad
+ql7kMVhB4ZPEdjpDmE52vz3dKz+WzM5RLSVsfSeampCSPyl/RRldLyaZEaTXgVKV
+ZwMVjAbm0XtSQPAJSGDSu3r/Qb5204TNs9MDfp0tikX5pP4s3cnF3b6xhNaiVMKb
+stDI1I/iCmJF4SZabI/SotL8mF7o+piafXe0Y05tVGlXmB0XMboXE8UkHXa+fvJm
+cZj2MPEVvVvK7mRMlh4D3K0kme94/zdgyScahXDoHd8kWjaN9P6jo6Svcr7RC9qp
+RN9dbXA/YUwvp0Qq1+dwDSs4+Y+CACZRR3ZeVGRb30EIWA72S4l26PLRK4QdUaWQ
+vm+2vYJ1yDOsIb0/yAIwOKmqM0kR686ZABEBAAGJAjwEGAECACYCGwwWIQS51FtD
+ZsacjXXKOgjxwzt6E0b0jgUCXeg0UQUJB7I2KwAKCRDxwzt6E0b0joSwEACS8wEk
+eY3uY7IBSL4bkiZI5+CfyoLsmcM6kb4febWmyPSQQxTQfpBDmt0myIG4lKppx7No
+pJnfbVcdsO0yFCeBYpHrJAPAdilUOcOj7Mi91yD+l5wAOI5eZGcIeRDprR0rivds
+w8eU7QkNOBwIaugVl3OuWNgjJfxpIGEhBkvoEkJdMHg35AI0+Y0D9sGOtY8JZEwz
+dPcPaQhlS2JDR5JRGrbyuyMvOxUnwpEZvKH4jzPzAyHS9FLA7qlLrT81XRTJC+8i
+lVxf9qb7YCE4SA1VnruKfD0RdtJG273GKijYZRyjbkwuRFBqPm6n3AOUEUDIzFBu
+7i7Mo3NDnn7fhm5y6FZzqL5nNhl0nr+0pfq3SGb+iCgJ9oFiEkBUdasjcfUvgR5S
+M6sntI4RTqJxt+OflHq/XUvkkV8pceucWKL8yKpUgN/UScZKbq6rLywQblLS2/dk
+jKhsMqh86F9x1+wgHXKTYLQ3VgADG5a0WxhJ6TsaJmePMHdWVMmOMwRCvh39Ray8
+SuD6HfVgExapTentK28JX43dQ8v5sSBK0ElcbQAGi40faS0LNB0TGNdA2bQfdxsq
+REibpEl+JPnWro8LgEkjFLyzQt7e98F8kGk7bgDbbSGk4cmoIm7Mo2Q5Abx35L9P
+fam0vPWERQTD0B9lpzEKF102fGITSxbOPttYLw==
+=8AIX
+-----END PGP PUBLIC KEY BLOCK-----