MCP uses the GPG encryption to protect sensitive data in the Git repositories
of the Reclass model. The private key from the encrypted data is stored on the
Salt Master node and is available to the root user only. Usually, the data
stored in the secrets.yml
files located in the
/srv/salt/reclass/cluster
directory is encrypted. The decryption key is
located in a keyring in /etc/salt/gpgkeys
.
Note
MCP uses the secrets
file name for organizing sensitive data
management. If required, you can encrypt data in other files, as well as use
unencrypted data in the secrets.yml
files.
The secrets encryption feature is not enabled by default. To enable the
feature, define secrets_encryption_enabled: 'True'
in the Cookiecutter
context before the deployment. See MCP Deployment Guide:
Infrastructure related parameters: Salt Master
for the details.
To change a password:
Get the ID of the private key in question:
# GNUPGHOME=/etc/salt/gpgkeys gpg --list-secret-keys
The machine-readable version of the above command:
# GNUPGHOME=/etc/salt/gpgkeys gpg --list-secret-keys --with-colons | awk -F: -e '/^sec/{print $5}'
Encrypt the new password:
# echo -ne <new_password> | GNUPGHOME=/etc/salt/gpgkeys gpg --encrypt --always-trust -a -r <key_id>
Add the new password to secrets.yml
.
To decrypt the data:
To get the decoded value, pass the encrypted value to the command:
# GNUPGHOME=/etc/salt/gpgkeys gpg --decrypt
To change the secret encryption private key:
Add a new key to keyring in /etc/salt/gpgkeys
using one of the
following options:
Import the existing key:
# GNUPGHOME=/etc/salt/gpgkeys gpg --import < <key_file>
Create a new key:
# GNUPGHOME=/etc/salt/gpgkeys gpg --gen-key
Replace all encrypted fields in all secrets.yml
files with the encrypted
value for new key_id
.