Key GenerationΒΆ

This section outlines the steps required to generate the required public and private keys.

mkdir /etc/salt/gpgkeys
chmod 0700 /etc/salt/gpgkeys

gpg --homedir /etc/salt/gpgkeys --gen-key

At this point you’ll be prompted with key generation options.

  • Select (1) RSA and RSA (default).
  • Select 2048 for the keysize (default).
  • Select 0 for the key expiration (key does not expire).
  • Enter your project name for Real Name.
  • Enter an email address for Email address.
  • Enter a blank line for Comment.

You’ll be given one last chance to overview what you’ve entered and make any changes. When you’re ready to generate your keys, select (O)kay.

At this point you’ll be prompted for a passphrase. It should be noted that the inclusion of a passphrase makes the overall configuration a bit more complicated, but retains the highest amount of security. It will require a step of manually unlocking the key with a passphrase anytime the server is rebooted.

Once the key is generated (it may take some time depending on your hardware) you’ll need to export the public key and import it into the systems keyring. To export the public key you’ll need to specify which key (as systems can have many keys). This can be done using any unique information about the key, including Real Name, Email address or Comment as defined during the key generation. The example below exports the key using the email address.

gpg --homedir /etc/salt/gpgkeys --armor --export email@address.org > pubkey.gpg

gpg --import pubkey.gpg

You are now ready to encrypt data using this GPG key-pair. This can be done using a simple shell one-liner:

echo -n "top secret data" | gpg --homedir /etc/salt/gpgkeys --armor --encrypt -r email@address.org

The resulting output of this can then be used within the SaltStack pillar system in the following format:

secret: |
  -----BEGIN PGP MESSAGE-----
  Version: GnuPG v1

  hQEMAweRHKaPCfNeAQf9GLTN16hCfXAbPwU6BbBK0unOc7i9/etGuVc5CyU9Q6um
  QuetdvQVLFO/HkrC4lgeNQdM6D9E8PKonMlgJPyUvC8ggxhj0/IPFEKmrsnv2k6+
  cnEfmVexS7o/U1VOVjoyUeliMCJlAz/30RXaME49Cpi6No2+vKD8a4q4nZN1UZcG
  RhkhC0S22zNxOXQ38TBkmtJcqxnqT6YWKTUsjVubW3bVC+u2HGqJHu79wmwuN8tz
  m4wBkfCAd8Eyo2jEnWQcM4TcXiF01XPL4z4g1/9AAxh+Q4d8RIRP4fbw7ct4nCJv
  Gr9v2DTF7HNigIMl4ivMIn9fp+EZurJNiQskLgNbktJGAeEKYkqX5iCuB1b693hJ
  FKlwHiJt5yA8X2dDtfk8/Ph1Jx2TwGS+lGjlZaNqp3R1xuAZzXzZMLyZDe5+i3RJ
  skqmFTbOiA==
  =Eqsm
  -----END PGP MESSAGE-----

Note

Please note the pipe character (“|”) after the key name as well as the yaml-style indentation for the entire GPG cipher value.