Tuesday, October 17, 2017

SaltStack Pillar Encryption

Encrypting your Pillar data is recommended because it contains your most valuable information like passwords and keys used in your infrastructure. Pillar data is held by the Salt master and only send through an encrypted bus to Minions when used in a state file. 

Encrypting your Pillar data can be done with GPG. This means that you encrypt the values with a public GPG key. This single public key is used by all the users within your organization to encrypt sensitive information. The private key is only available on the Salt master (not the Minions!). Without the private key the encrypted data can not be decrypted.
My Pillar Path: /opt/salt/pillar/prod/
My Environment Path: /opt/salt/environments/prod/

 
[root@master ~]# mkdir -p /etc/salt/gpgkeys

 
[root@master ~]# chmod 0700 /etc/salt/gpgkeys

[root@master ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) 
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: vishvendra
Email address: vish@mylab.com
Comment: test keys
You selected this USER-ID:
    "vishvendra (test keys) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 61E46376 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/61E46376 2017-10-17
      Key fingerprint = 3F3B D495 89CC 3EAB ABDE  8BDC 1343 926E 61E4 6376
uid                  vishvendra (test keys) 
sub   2048R/EA0D4B69 2017-10-17

 If you want to encrypt the data from other machine, then you can export the keys

 
[root@master ~]# gpg --export -a "61E46376" > /root/salt-gpg-pub.key

 
[root@master ~]# cp -vrf .gnupg/* /etc/salt/gpgkeys/
¿.gnupg/private-keys-v1.d¿ -> ¿/etc/salt/gpgkeys/private-keys-v1.d¿
¿.gnupg/pubring.gpg¿ -> ¿/etc/salt/gpgkeys/pubring.gpg¿
¿.gnupg/pubring.gpg~¿ -> ¿/etc/salt/gpgkeys/pubring.gpg~¿
¿.gnupg/random_seed¿ -> ¿/etc/salt/gpgkeys/random_seed¿
¿.gnupg/secring.gpg¿ -> ¿/etc/salt/gpgkeys/secring.gpg¿
¿.gnupg/S.gpg-agent¿ -> ¿/etc/salt/gpgkeys/S.gpg-agent¿
¿.gnupg/trustdb.gpg¿ -> ¿/etc/salt/gpgkeys/trustdb.gpg¿

 
[root@master ~]# echo -n "httpd" | gpg --armor --batch --trust-model always \ 
--encrypt -r 61E46376
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (GNU/Linux)

hQEMAwl2kBXqDUtpAQf6AgM+X2q8EshZU+NiWP8Fjr8DGGqoh4XdKASWDKLQv+fG
9q4dtQp1o0+AXcKuwaYRG/+Q058zZC0xzHVpJ2h8d0tOWbYXUhEE4OWRmwOkF5nH
G+iYsOV24vv/6MHnkLjmJcyLlK/UyKifJi46gE/ZoN3uAlGE2C6Lt/pz6fEf3nBB
Ehjsju2Fz7IwC/w+0L0rq+pCr/svldqrQ5nruzFXktGrsA615G/Dqh+oJS/fdz8b
uzLOCH1jrhPqpp/mkvNQmQL0qS40th+qJ6ezSk814fvTEVWmKxkTGxzN3ccuDz8T
BqF9bIW1v2fxUYGWHXiObAI7L95xFJQQf4P0I0TattJAAULYcMwsVtG4/1mVR0yf
75lFkDTW6oE1e5Gx9lbzyBoc00v0s85fpjNSzlaESTkfRXxdY664832/L1ipI733
gA==
=PfTL
-----END PGP MESSAGE-----

 
[root@master ~]# vim /opt/salt/pillar/prod/httpd.sls
#!yaml|gpg
pkg: |
  -----BEGIN PGP MESSAGE-----
  Version: GnuPG v2.0.22 (GNU/Linux)

  hQEMAwl2kBXqDUtpAQf6AgM+X2q8EshZU+NiWP8Fjr8DGGqoh4XdKASWDKLQv+fG
  9q4dtQp1o0+AXcKuwaYRG/+Q058zZC0xzHVpJ2h8d0tOWbYXUhEE4OWRmwOkF5nH
  G+iYsOV24vv/6MHnkLjmJcyLlK/UyKifJi46gE/ZoN3uAlGE2C6Lt/pz6fEf3nBB
  Ehjsju2Fz7IwC/w+0L0rq+pCr/svldqrQ5nruzFXktGrsA615G/Dqh+oJS/fdz8b
  uzLOCH1jrhPqpp/mkvNQmQL0qS40th+qJ6ezSk814fvTEVWmKxkTGxzN3ccuDz8T
  BqF9bIW1v2fxUYGWHXiObAI7L95xFJQQf4P0I0TattJAAULYcMwsVtG4/1mVR0yf
  75lFkDTW6oE1e5Gx9lbzyBoc00v0s85fpjNSzlaESTkfRXxdY664832/L1ipI733
  gA==
  =PfTL
  -----END PGP MESSAGE-----

 
[root@master ~]# cat /opt/salt/environments/prod/top.sls 
prod:
  '*':
    - httpd

 

root@master ~]# cat /opt/salt/environments/prod/httpd/init.sls 
pkg_installation_gpg:
  pkg.installed:
    - name: {{ pillar['pkg'] }}

 
[root@master ~]# salt "centos-01.mylab.com" state.highstate saltenv=prod
centos-01.mylab.com:
----------
          ID: pkg_installation_gpg
    Function: pkg.installed
        Name: httpd
      Result: True
     Comment: All specified packages are already installed
     Started: 04:40:03.764644
    Duration: 1553.839 ms
     Changes:   

Summary for centos-01.mylab.com
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   1.554 s

Done... Finally package must be installed which we have encrypted as value.

Posted by at No comments :
Subscribe to: Posts ( Atom )