Manage secrets in the Reclass model

Manage secrets in the Reclass modelΒΆ

MCP uses the GPG encryption to protect sensitive data in the Git repositories of the Reclass model. The private key from the encrypted data is stored on the Salt Master node and is available to the root user only. Usually, the data stored in the secrets.yml files located in the /srv/salt/reclass/cluster directory is encrypted. The decryption key is located in a keyring in /etc/salt/gpgkeys.


MCP uses the secrets file name for organizing sensitive data management. If required, you can encrypt data in other files, as well as use unencrypted data in the secrets.yml files.

The secrets encryption feature is not enabled by default. To enable the feature, define secrets_encryption_enabled: 'True' in the Cookiecutter context before the deployment. See MCP Deployment Guide: Infrastructure related parameters: Salt Master for the details.

To change a password:

  1. Get the ID of the private key in question:

    # GNUPGHOME=/etc/salt/gpgkeys gpg --list-secret-keys

    The machine-readable version of the above command:

    # GNUPGHOME=/etc/salt/gpgkeys gpg --list-secret-keys --with-colons | awk -F: -e '/^sec/{print $5}'
  2. Encrypt the new password:

    # echo -ne <new_password> | GNUPGHOME=/etc/salt/gpgkeys gpg --encrypt --always-trust -a -r <key_id>
  3. Add the new password to secrets.yml.

To decrypt the data:

To get the decoded value, pass the encrypted value to the command:

# GNUPGHOME=/etc/salt/gpgkeys gpg --decrypt

To change the secret encryption private key:

  1. Add a new key to keyring in /etc/salt/gpgkeys using one of the following options:

    • Import the existing key:

      # GNUPGHOME=/etc/salt/gpgkeys gpg --import < <key_file>
    • Create a new key:

      # GNUPGHOME=/etc/salt/gpgkeys gpg --gen-key
  2. Replace all encrypted fields in all secrets.yml files with the encrypted value for new key_id.