GPG-Salt-Prod.md

GPG-Salt-Prod.md

GPG In Pillar

Include this file in the git repo with your pillar data. It provides instructions for those commiting code to securely save and commit senstive data (like password and private certs).

This the Salt Prod key:

key A1234567: "Salt Prod salt.prod@mailinator.com"

gpg --import GPG-Salt-Prod.md
gpg --sign-key A1234567
# encrypt by id
echo -n "supersecret" | gpg --armor --encrypt -r A1234567"
# or by name
echo -n "supersecret" | gpg --armor --encrypt -r "Salt Prod <salt.prod@mailinator.com>"

The output you can put into an sls file like so:

#!jinja|yaml|gpg

testsecret: |
  -----BEGIN PGP MESSAGE-----
  Version: GnuPG v1
  
  hQIMA+n6jkmYmj4oAQ//SlNh4wiVrkPw7UgsK4LO6rZ8QCHDCVV+UXEIoTTIKqwr
  Ko4AP8AUoKODjfbQoRuGeonHiXRx4vsgoSPg3yu/MpEJa3RRQKDyKSttEnvTYswG
  0OFXqtyotJTSCL+ILA2ZrX1UVHeHagm3lf+5v+wYC/I8sUHVRGGkUfa45JVDl/t6
  bf4IwWjTbGr4+fasfasdfasdfasdfasfdasfdsfasrADKc+IF8mjlwtOprd18tOx
  q8yRxz+KiZ0WZsrdO0oaOJFzLZAYz6lIOWMjC2n6CghHl9xB6TqU4Bj0dlT9N2e4
  E+L+KE+PqBiFMRahwUfX1puesgcK8bmLk56v6q+xI+/r6TvNz508fROyl+opPnL9
  pLABSDXd8m0kJHDaZqLPl1r4e5MZz1iZj2mgmeAR5x4Na8wjgyFFuE5GZqLaYIy6
  /pt8v2Ctz5R/YK62LjsAarFmOX3FixVyTvJ5TqKm/ermtVNRDPJNiIbZoxQqSgAQ
  56TxpQYg8nyMyq86oSgVK1C9Hw/VOUFUW8bQiV5RRjvx+Wz6l0AC0hde4cmus/xm
  IoPxj7XfvBQBzMuuJgezv/lLWzZzYyeG3gI6DM9FCXhhVv88Ie8tzo+ozKg31aHS
  RgEValsU6huhrLigKhMXXqmmLquHZU0qOyqKDcM6mBS55YR62T77vSny39r9GT1V
  k31wfsadf9asfdasf9as9dfas9=
  =WMRd
  -----END PGP MESSAGE-----

------BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
    
mQGiBDkHP3URBACkWGsYh43pkXU9wj/X1G67K8/DSrl85r7dNtHNfLL/ewil10k2
q8saWJn26QZPsDVqdUJMOdHfJ6kQTAt9NzQbgcVrxLYNfgeBsvkHF/POtnYcZRgL
tZ6syBBWs8JB4xt5V09iJSGAMPUQE8Jpdn2aRXPApdoDw179LM8Rq6r+gwCg5ZZa
pGNlkgFu24WM5wC1zg4QTbMD/3MJCSxfL99Ek5HXcB3yhj+o0LmIrGAVBgoWdrRd
BIGjQQFhV1NSwC8YhN/4nGHWpaTxgEtnb4CI1wI/G3DK9olYMyRJinkGJ6XYfP3b
cCQmqATDF5ugIAmdditnw7deXqn/eavaMxRXJM/RQSgJJyVpbAO2OqKe6L6Inb5H
kjcZA/9obTm499dDMRQ/CNR92fA5pr0zriy/ziLUow+cqI59nt+bEb9nY1mfmUN6
SW0jCH+pIQH5lerV+EookyOyq3ocUdjeRYF/d2jl9xmeSyL2H3tDvnuE6vgqFU/N
sdvby4B2Iku7S/h06W6GPQAe+pzdyX9vS+Pnf8osu7W3j60WprQkUGF1bCBHYWxs
YWdoZXIgPHBhdWxnYWxsQHJlZGhhdC5jb20+iFYEExECABYFAjkHP3UECwoEAwMV
AwIDFgIBAheAAAoJEJECmvGCPSWpMjQAoNF2zvRgdR/8or9pBhu95zeSnkb7AKCm
/uXVS0a5KoN7J61/1vEwx11poLkBDQQ5Bz+MEAQA8ztcWRJjW8cHCgLaE402jyqQ
37gDT/n4VS66nU+YItzDFScVmgMuFRzhibLblfO9TpZzxEbSF3T6p9hLLnHCQ1bD
HRsKfh0eJYMMqB3+HyUpNeqCMEEd9AnWD9P4rQtO7Pes38sV0lX0OSvsTyMG9wEB
vSNZk+Rl+phA55r1s8cAAwUEAJjqazvk0bgFrw1OPG9m7fEeDlvPSV6HSA0fvz4w
c7ckfpuxg/URQNf3TJA00Acprk8Gg8J2CtebAyR/sP5IsrK5l1luGdk+l0M85FpT
/cen2OdJtToAF/6fGnIkeCeP1O5aWTbDgdAUHBRykpdWU3GJ7NS6923fVg5khQWg
uwrAiEYEGBECAAYFAjkHP4wACgkQkQKa8YI9JamliwCfXox/HjlorMKnQRJkeBcZ
iLyPH1QAoI33Ft/0HBqLtqdtP4vWYQRbibjW
=BMEc
-----END PGP PUBLIC KEY BLOCK-----

gpg-saltmaster.md

SALT GPG Notes

This describes how to setup the salt master with gpg and then

Following instructions on this page with some modifications.

Prep

sudo apt-get install python-gnupg haveged # haveged is for entropy in generating the keys, useful for vms

Make the saltmaster keys:

1. mkdir /etc/salt/gpgkeys; chmod 700 /etc/salt/gpgkeys
2. gpg --gen-key --homedir /etc/salt/gpgkeys - Don't set a password, and we'll probably keep the expiration never. If we set an expiration, make sure we have a plan to make new keys and re-encrypt pillar data in the future.

Export those keys

gpg --homedir /etc/salt/gpgkeys --export-secret-key -a "Salt Prod <salt.prod@mailinator.com>" > prodsalt-private.asc 
gpg --homedir /etc/salt/gpgkeys --export -a "Salt Prod <salt.prod@mailinator.com>" >> prodsalt-private.asc
gpg --homedir /etc/salt/gpgkeys --export -a "Salt Prod <salt.prod@mailinator.com>" >> prodsalt-public.asc

Now you need to back this file up in a secure vault somewhere. I like to use reddit.com for these things. Or I send it to the Federal Government. They have a good track history lately of keeping things secure. Recovery is tricky though (you have to file a FOIA and wait a long time).

Copy those keys to the other saltmaster and import.

sudo apt-get install python-gnupg
mkdir /etc/salt/gpgkeys; chmod 700 /etc/salt/gpgkeys
gpg --homedir /etc/salt/gpgkeys  --import prodsalt-private.asc
gpg --homedir /etc/salt/gpgkeys --edit-key "Salt Prod <salt.prod@mailinator.com>"
# trust
# choose 5 (ultimate trust)

On your workstation, after creating a key on the saltmaster and exporting the public key.

1. Make your own keys if you don't have already. gpg --gen-key
2. Import the public key you downloaded. gpg --import prodsalt-public.asc
3. After import, sign the key. This prevents gpg from always asking if you trust the key. gpg --sign-key A1234567
4. echo -n "supersecret" | gpg --armor --encrypt -r <KEY-name> NOTE: The webpage says to use --homedir, but that option doesn't work on OS X.

Add to a pillar file

For any pillar you want to add to, you need a renders line at the top.

#!jinja|yaml|gpg

testsecret: |
  -----BEGIN PGP MESSAGE-----
  Version: GnuPG v1
  
  hQIMA+n6jkmYmj4oAQ//SlNh4wiVrkPw7UgsK4LO6rZ8QCHDCVV+UXEIoTTIKqwr
  Ko4AP8AUoKODjfbQoRuGeonHiXRx4vsgoSPg3yu/MpEJa3RRQKDyKSttEnvTYswG
  0OFXqtyotJTSCL+ILA2ZrX1UVHeHagm3lf+5v+wYC/I8sUHVRGGkUfa45JVDl/t6
  bf4IwWjTbGr4+fasfasdfasdfasdfasfdasfdsfasrADKc+IF8mjlwtOprd18tOx
  q8yRxz+KiZ0WZsrdO0oaOJFzLZAYz6lIOWMjC2n6CghHl9xB6TqU4Bj0dlT9N2e4
  E+L+KE+PqBiFMRahwUfX1puesgcK8bmLk56v6q+xI+/r6TvNz508fROyl+opPnL9
  pLABSDXd8m0kJHDaZqLPl1r4e5MZz1iZj2mgmeAR5x4Na8wjgyFFuE5GZqLaYIy6
  /pt8v2Ctz5R/YK62LjsAarFmOX3FixVyTvJ5TqKm/ermtVNRDPJNiIbZoxQqSgAQ
  56TxpQYg8nyMyq86oSgVK1C9Hw/VOUFUW8bQiV5RRjvx+Wz6l0AC0hde4cmus/xm
  IoPxj7XfvBQBzMuuJgezv/lLWzZzYyeG3gI6DM9FCXhhVv88Ie8tzo+ozKg31aHS
  RgEValsU6huhrLigKhMXXqmmLquHZU0qOyqKDcM6mBS55YR62T77vSny39r9GT1V
  k31wfsadf9asfdasf9as9dfas9=
  =WMRd
  -----END PGP MESSAGE-----