Enable all secrets encryption

Enable all secrets encryption

The Model Designer UI supports passing a private key to enable automated encryption of secrets.yml during the Salt Master node .iso file generation.

To enable all secrets encryption in the Model Designer UI:

  1. Generate a private PGP key locally. For example:

    mkdir -p ~/mcp-temp-gpg-key ; cd ~/mcp-temp-gpg-key
    cd cat <<EOF > gpg-batch.txt
    Key-Type: 1
    Key-Length: 4096
    Expire-Date: 0
    Name-Real: gpg-demo.com
    Name-Email: saltmasterdemo@example.com
    EOF
    export GNUPGHOME="$(pwd)/gpghome" ; mkdir -p gpghome ; chmod 0700 gpghome
    gpg --gen-key --batch < gpg-batch.txt
    gpg --export-secret-key -a saltmasterdemo@example.com > gpgkey.asc
    gpg --list-secret-keys
    
  2. Copy the generated private PGP key:

    cat gpgkey.asc
    

    Example of system response:

    -----BEGIN PGP PRIVATE KEY BLOCK-----
    Version: GnuPG v1
    
    lQcYBFyKM7kBEADGU6P/Lp9YRMY/vLw7VOF5Sox1rnu2lz6YqnNQ2J+ZHVlPA9R
    ........
    
  3. Proceed with the metadata model generation as described in Define the deployment model. While generating the metadata model, enable the following parameters:

    • In General -> Services section, select Secrets Encryption Enabled

    • In Infra -> Salt Master section, paste the private key to the Secrets Encryption Private Key field

  4. Proceed to the metadata model generation.