1. Home
  2. MCP Deployment Guide
  3. Prepare for the deployment
  4. Create a deployment metadata model
  5. Enable all secrets encryption

Enable all secrets encryption

Enable all secrets encryptionΒΆ

The Model Designer UI supports passing a private key to enable automated encryption of secrets.yml during the Salt Master node .iso file generation.

To enable all secrets encryption in the Model Designer UI:

  1. Generate a private PGP key locally. For example:

    mkdir -p ~/mcp-temp-gpg-key ; cd ~/mcp-temp-gpg-key
cd cat <<EOF > gpg-batch.txt
Key-Type: 1
Key-Length: 4096
Expire-Date: 0
Name-Real: gpg-demo.com
Name-Email: saltmasterdemo@example.com
EOF
export GNUPGHOME="$(pwd)/gpghome" ; mkdir -p gpghome ; chmod 0700 gpghome
gpg --gen-key --batch < gpg-batch.txt
gpg --export-secret-key -a saltmasterdemo@example.com > gpgkey.asc
gpg --list-secret-keys

  2. Copy the generated private PGP key:

    cat gpgkey.asc

    Example of system response:

    -----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1

lQcYBFyKM7kBEADGU6P/Lp9YRMY/vLw7VOF5Sox1rnu2lz6YqnNQ2J+ZHVlPA9R
........

  3. Proceed with the metadata model generation as described in Define the deployment model. While generating the metadata model, enable the following parameters:

    • In General -> Services section, select Secrets Encryption Enabled
    • In Infra -> Salt Master section, paste the private key to the Secrets Encryption Private Key field

  4. Proceed to the metadata model generation.

See also

MCP Operations Guide: Manage secrets in the Reclass model

updated: 2024-01-04 11:44