Enable all secrets encryption

Enable all secrets encryptionΒΆ

The Model Designer UI supports passing a private key to enable automated encryption of secrets.yml during the Salt Master node .iso file generation.

To enable all secrets encryption in the Model Designer UI:

  1. Generate a private PGP key locally. For example:

    mkdir -p ~/mcp-temp-gpg-key ; cd ~/mcp-temp-gpg-key
    cd cat <<EOF > gpg-batch.txt
    Key-Type: 1
    Key-Length: 4096
    Expire-Date: 0
    Name-Real: gpg-demo.com
    Name-Email: saltmasterdemo@example.com
    export GNUPGHOME="$(pwd)/gpghome" ; mkdir -p gpghome ; chmod 0700 gpghome
    gpg --gen-key --batch < gpg-batch.txt
    gpg --export-secret-key -a saltmasterdemo@example.com > gpgkey.asc
    gpg --list-secret-keys
  2. Copy the generated private PGP key:

    cat gpgkey.asc

    Example of system response:

    Version: GnuPG v1
  3. Proceed with the metadata model generation as described in Define the deployment model. While generating the metadata model, enable the following parameters:

    • In General -> Services section, select Secrets Encryption Enabled
    • In Infra -> Salt Master section, paste the private key to the Secrets Encryption Private Key field
  4. Proceed to the metadata model generation.