Key GenerationΒΆ

This section outlines the steps required to generate the required public and private keys.

mkdir /etc/salt/gpgkeys
chmod 0700 /etc/salt/gpgkeys

gpg --homedir /etc/salt/gpgkeys --gen-key

At this point you’ll be prompted with key generation options.

  • Select (1) RSA and RSA (default).
  • Select 2048 for the keysize (default).
  • Select 0 for the key expiration (key does not expire).
  • Enter your project name for Real Name.
  • Enter an email address for Email address.
  • Enter a blank line for Comment.

You’ll be given one last chance to overview what you’ve entered and make any changes. When you’re ready to generate your keys, select (O)kay.

At this point you’ll be prompted for a passphrase. It should be noted that the inclusion of a passphrase makes the overall configuration a bit more complicated, but retains the highest amount of security. It will require a step of manually unlocking the key with a passphrase anytime the server is rebooted.

Once the key is generated (it may take some time depending on your hardware) you’ll need to export the public key and import it into the systems keyring. To export the public key you’ll need to specify which key (as systems can have many keys). This can be done using any unique information about the key, including Real Name, Email address or Comment as defined during the key generation. The example below exports the key using the email address.

gpg --homedir /etc/salt/gpgkeys --armor --export > pubkey.gpg
gpg --import pubkey.gpg

You are now ready to encrypt data using this GPG key-pair. This can be done using a simple shell one-liner:

echo -n "top secret data" | gpg --homedir /etc/salt/gpgkeys --armor --encrypt -r

The resulting output of this can then be used within the SaltStack pillar system in the following format:

secret: |
  Version: GnuPG v1

  -----END PGP MESSAGE-----


Please note the pipe character (“|”) after the key name as well as the yaml-style indentation for the entire GPG cipher value.