Skip to main content

SaltStack Pillar Encryption

Encrypting your Pillar data is recommended because it contains your most valuable information like passwords and keys used in your infrastructure. Pillar data is held by the Salt master and only send through an encrypted bus to Minions when used in a state file. 

Encrypting your Pillar data can be done with GPG. This means that you encrypt the values with a public GPG key. This single public key is used by all the users within your organization to encrypt sensitive information. The private key is only available on the Salt master (not the Minions!). Without the private key the encrypted data can not be decrypted.



My Pillar Path: /opt/salt/pillar/prod/
My Environment Path: /opt/salt/environments/prod/


[root@master ~]# mkdir -p /etc/salt/gpgkeys


[root@master ~]# chmod 0700 /etc/salt/gpgkeys

[root@master ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) 
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: vishvendra
Email address: vish@mylab.com
Comment: test keys
You selected this USER-ID:
    "vishvendra (test keys) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 61E46376 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/61E46376 2017-10-17
      Key fingerprint = 3F3B D495 89CC 3EAB ABDE  8BDC 1343 926E 61E4 6376
uid                  vishvendra (test keys) 
sub   2048R/EA0D4B69 2017-10-17

If you want to encrypt the data from other machine, then you can export the keys


[root@master ~]# gpg --export -a "61E46376" > /root/salt-gpg-pub.key


[root@master ~]# cp -vrf .gnupg/* /etc/salt/gpgkeys/
¿.gnupg/private-keys-v1.d¿ -> ¿/etc/salt/gpgkeys/private-keys-v1.d¿
¿.gnupg/pubring.gpg¿ -> ¿/etc/salt/gpgkeys/pubring.gpg¿
¿.gnupg/pubring.gpg~¿ -> ¿/etc/salt/gpgkeys/pubring.gpg~¿
¿.gnupg/random_seed¿ -> ¿/etc/salt/gpgkeys/random_seed¿
¿.gnupg/secring.gpg¿ -> ¿/etc/salt/gpgkeys/secring.gpg¿
¿.gnupg/S.gpg-agent¿ -> ¿/etc/salt/gpgkeys/S.gpg-agent¿
¿.gnupg/trustdb.gpg¿ -> ¿/etc/salt/gpgkeys/trustdb.gpg¿


[root@master ~]# echo -n "httpd" | gpg --armor --batch --trust-model always \ 
--encrypt -r 61E46376
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (GNU/Linux)

hQEMAwl2kBXqDUtpAQf6AgM+X2q8EshZU+NiWP8Fjr8DGGqoh4XdKASWDKLQv+fG
9q4dtQp1o0+AXcKuwaYRG/+Q058zZC0xzHVpJ2h8d0tOWbYXUhEE4OWRmwOkF5nH
G+iYsOV24vv/6MHnkLjmJcyLlK/UyKifJi46gE/ZoN3uAlGE2C6Lt/pz6fEf3nBB
Ehjsju2Fz7IwC/w+0L0rq+pCr/svldqrQ5nruzFXktGrsA615G/Dqh+oJS/fdz8b
uzLOCH1jrhPqpp/mkvNQmQL0qS40th+qJ6ezSk814fvTEVWmKxkTGxzN3ccuDz8T
BqF9bIW1v2fxUYGWHXiObAI7L95xFJQQf4P0I0TattJAAULYcMwsVtG4/1mVR0yf
75lFkDTW6oE1e5Gx9lbzyBoc00v0s85fpjNSzlaESTkfRXxdY664832/L1ipI733
gA==
=PfTL
-----END PGP MESSAGE-----


[root@master ~]# vim /opt/salt/pillar/prod/httpd.sls
#!yaml|gpg
pkg: |
  -----BEGIN PGP MESSAGE-----
  Version: GnuPG v2.0.22 (GNU/Linux)

  hQEMAwl2kBXqDUtpAQf6AgM+X2q8EshZU+NiWP8Fjr8DGGqoh4XdKASWDKLQv+fG
  9q4dtQp1o0+AXcKuwaYRG/+Q058zZC0xzHVpJ2h8d0tOWbYXUhEE4OWRmwOkF5nH
  G+iYsOV24vv/6MHnkLjmJcyLlK/UyKifJi46gE/ZoN3uAlGE2C6Lt/pz6fEf3nBB
  Ehjsju2Fz7IwC/w+0L0rq+pCr/svldqrQ5nruzFXktGrsA615G/Dqh+oJS/fdz8b
  uzLOCH1jrhPqpp/mkvNQmQL0qS40th+qJ6ezSk814fvTEVWmKxkTGxzN3ccuDz8T
  BqF9bIW1v2fxUYGWHXiObAI7L95xFJQQf4P0I0TattJAAULYcMwsVtG4/1mVR0yf
  75lFkDTW6oE1e5Gx9lbzyBoc00v0s85fpjNSzlaESTkfRXxdY664832/L1ipI733
  gA==
  =PfTL
  -----END PGP MESSAGE-----


[root@master ~]# cat /opt/salt/environments/prod/top.sls 
prod:
  '*':
    - httpd



root@master ~]# cat /opt/salt/environments/prod/httpd/init.sls 
pkg_installation_gpg:
  pkg.installed:
    - name: {{ pillar['pkg'] }}


[root@master ~]# salt "centos-01.mylab.com" state.highstate saltenv=prod
centos-01.mylab.com:
----------
          ID: pkg_installation_gpg
    Function: pkg.installed
        Name: httpd
      Result: True
     Comment: All specified packages are already installed
     Started: 04:40:03.764644
    Duration: 1553.839 ms
     Changes:   

Summary for centos-01.mylab.com
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   1.554 s

Done... Finally package must be installed which we have encrypted as value.

Comments

Popular posts from this blog

Docker Container Management from Cockpit

Cockpit can manage containers via docker. This functionality is present in the Cockpit docker package. Cockpit communicates with docker via its API via the /var/run/docker.sock unix socket. The docker API is root equivalent, and on a properly configured system, only root can access the docker API. If the currently logged in user is not root then Cockpit will try to escalate the user’s privileges via Polkit or sudo before connecting to the socket. Alternatively, we can create a docker Unix group. Anyone in that docker group can then access the docker API, and gain root privileges on the system. [root@rhel8 ~] #  yum install cockpit-docker    -y  Once the package installed then "containers" section would be added in the dashboard and we can manage the containers and images from the console. We can search or pull an image from docker hub just by searching with the keyword like nginx centos.   Once the Image download...

Remote Systems Management With Cockpit

The cockpit is a Red Hat Enterprise Linux web-based interface designed for managing and monitoring your local system, as well as Linux servers located in your network environment. In RHEL 8 Cockpit is the default installation candidate we can just start the service and then can start the management of machines. For RHEL7 or Fedora based machines we can follow steps to install and configure the cockpit.  Following are the few features of cockpit.  Managing services Managing user accounts Managing and monitoring system services Configuring network interfaces and firewall Reviewing system logs Managing virtual machines Creating diagnostic reports Setting kernel dump configuration Configuring SELinux Updating software Managing system subscriptions Installation of cockpit package.  [root@rhel8 ~] #  dnf   install cockpit cockpit-dashboard  -y  We need to enable the socket.  [root@rhel8 ~] #  systemctl enable --n...

Add The Group Information IN Yum Repository in simple Two steps

= Yum groups and repositories = Yum supports the group commands   * grouplist   * groupinfo   * groupinstall   * groupremove   * groupupdate Groups are read from the "group" xml metadata that is optionally available from each repository. If yum has no repositories which support groups then none of  the group operations will work.  #yum grouplist    This will list the installed and available groups for your system in two    separate lists. If you pass the optional 'hidden' argument then all of     the groups which are set to 'no' in the group xml tag.   yum groupinfo groupname     This will give you detailed information for each group including:   description, mandatory, default and optional packages.       #yum groupinstall groupname      #yum groupupdate groupname   Despite their differing names both of these commands perform the same   func...