I’ve been putting encryption in place for sensitive data in our Salt configuration lately. In other words avoid storing passwords and private SSH keys in clear text in a git repository, but store them encrypted instead.

While doing so I came across the Intothesaltmine guide, and tried to use an encrypted key, which leads to use a gpg-agent in conjunction with Salt.

Salt is GPG-ready, and the salt-master has his its gpg_keydir defaulting to /etc/salt/gpgkeys. BTW, GPG is only used by the master, so pyhon-gnupg doesn’t need to be installed on minions.

Now you have the choice:

The rest of this post is about the case of an encrypted key.

First off, I wonder if the salt-master should not ask for the passphrase itself: on one hand it would save the burden of starting an agent ourselves, but on the other hand the already-here GPG 2.1 client starts an agent anyway the first time a passphrase is needed.

salt-master will look for an agent socket in its gpg_keydir: /etc/salt/gpgkeys/S.gpg-agent by default. So the trick is to start an longtime-running agent at the right place.

After having created the key and set up GPG with

# /etc/salt/gpgkeys/gpg.conf
# /etc/salt/gpgkeys/gpg-agent.conf
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 86400 # one day
max-cache-ttl 31536000  # one year

I start the agent with this little script:

#!/usr/bin/env bash

if [ ${UID} -ne 0 ]; then
  printf "Must be run as root.\n" >&2
  exit 1

gpg-agent --daemon \
  --homedir ${SALT_GPG_HOME} \
  --write-env-file ${SALT_GPG_HOME}/.gpg-agent-info \

echo "Have a nice day" | gpg --homedir ${SALT_GPG_HOME} --armor --encrypt \
  -r ${EMAIL_RCPT} > ${tmpasc}
exec gpg --homedir ${SALT_GPG_HOME} --decrypt ${tmpasc}

What we do here is start the agent with a very long caching time, and immediately use the private key to have the agent ready for Salt.

The next step is probably to have the agent started with Salt, or at least monitored. But I haven’t into that yet. Furthermore, I wonder if having the salt-master key in clear on the master is not a sufficient tradeoff : after all it’s restricted to root users on a machine with presumably limited access.