Manage a GPG keychains, add keys, create keys, retrieve keys from keyservers. Sign, encrypt and sign & encrypt text and files.
New in version 2015.5.0.
Note
The python-gnupg
library and gpg binary are
required to be installed.
salt.modules.gpg.
create_key
(key_type='RSA', key_length=1024, name_real='Autogenerated Key', name_comment='Generated by SaltStack', name_email=None, subkey_type=None, subkey_length=None, expire_date=None, use_passphrase=False, user=None, gnupghome=None)¶Create a key in the GPG keychain
Note
GPG key generation requires a lot of entropy and randomness. Difficult to do over a remote connection, consider having another process available which is generating randomness for the machine. Also especially difficult on virtual machines, consider the rng-tools package.
The create_key process takes awhile so increasing the timeout may be necessary, e.g. -t 15.
CLI Example:
salt -t 15 '*' gpg.create_key
salt.modules.gpg.
decrypt
(user=None, text=None, filename=None, output=None, use_passphrase=False, gnupghome=None)¶Decrypt a message or file
CLI Example:
salt '*' gpg.decrypt filename='/path/to/important.file.gpg'
salt '*' gpg.decrypt filename='/path/to/important.file.gpg' use_pasphrase=True
salt.modules.gpg.
delete_key
(keyid=None, fingerprint=None, delete_secret=False, user=None, gnupghome=None)¶Get a key from the GPG keychain
CLI Example:
salt '*' gpg.delete_key keyid=3FAD9F1E
salt '*' gpg.delete_key fingerprint=53C96788253E58416D20BCD352952C84C3252192
salt '*' gpg.delete_key keyid=3FAD9F1E user=username
salt '*' gpg.delete_key keyid=3FAD9F1E user=username delete_secret=True
salt.modules.gpg.
encrypt
(user=None, recipients=None, text=None, filename=None, output=None, sign=None, use_passphrase=False, gnupghome=None)¶Encrypt a message or file
CLI Example:
salt '*' gpg.encrypt text='Hello there. How are you?'
salt '*' gpg.encrypt filename='/path/to/important.file'
salt '*' gpg.encrypt filename='/path/to/important.file' use_pasphrase=True
salt.modules.gpg.
export_key
(keyids=None, secret=False, user=None, gnupghome=None)¶Export a key from the GPG keychain
CLI Example:
salt '*' gpg.export_key keyids=3FAD9F1E
salt '*' gpg.export_key keyids=3FAD9F1E secret=True
salt '*' gpg.export_key keyid="['3FAD9F1E','3FBD8F1E']" user=username
salt.modules.gpg.
get_key
(keyid=None, fingerprint=None, user=None, gnupghome=None)¶Get a key from the GPG keychain
CLI Example:
salt '*' gpg.get_key keyid=3FAD9F1E
salt '*' gpg.get_key fingerprint=53C96788253E58416D20BCD352952C84C3252192
salt '*' gpg.get_key keyid=3FAD9F1E user=username
salt.modules.gpg.
get_secret_key
(keyid=None, fingerprint=None, user=None, gnupghome=None)¶Get a key from the GPG keychain
CLI Example:
salt '*' gpg.get_secret_key keyid=3FAD9F1E
salt '*' gpg.get_secret_key fingerprint=53C96788253E58416D20BCD352952C84C3252192
salt '*' gpg.get_secret_key keyid=3FAD9F1E user=username
salt.modules.gpg.
import_key
(user=None, text=None, filename=None, gnupghome=None)¶Import a key from text or file
- user
- Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys.
- text
- The text containing to import.
- filename
- The filename containing the key to import.
- gnupghome
- Specify the location where GPG related files are stored.
CLI Example:
salt '*' gpg.import_key text='-----BEGIN PGP PUBLIC KEY BLOCK-----
salt.modules.gpg.
list_keys
(user=None, gnupghome=None)¶List keys in GPG keychain
CLI Example:
salt '*' gpg.list_keys
salt.modules.gpg.
list_secret_keys
(user=None, gnupghome=None)¶List secret keys in GPG keychain
CLI Example:
salt '*' gpg.list_secret_keys
salt.modules.gpg.
receive_keys
(keyserver=None, keys=None, user=None, gnupghome=None)¶Receive key(s) from keyserver and add them to keychain
CLI Example:
salt '*' gpg.receive_key keys='3FAD9F1E'
salt '*' gpg.receive_key keys="['3FAD9F1E','3FBD9F2E']"
salt '*' gpg.receive_key keys=3FAD9F1E user=username
salt.modules.gpg.
search_keys
(text, keyserver=None, user=None)¶Search keys from keyserver
CLI Example:
salt '*' gpg.search_keys user@example.com
salt '*' gpg.search_keys user@example.com keyserver=keyserver.ubuntu.com
salt '*' gpg.search_keys user@example.com keyserver=keyserver.ubuntu.com user=username
salt.modules.gpg.
sign
(user=None, keyid=None, text=None, filename=None, output=None, use_passphrase=False, gnupghome=None)¶Sign message or file
CLI Example:
salt '*' gpg.sign text='Hello there. How are you?'
salt '*' gpg.sign filename='/path/to/important.file'
salt '*' gpg.sign filename='/path/to/important.file' use_pasphrase=True
salt.modules.gpg.
trust_key
(keyid=None, fingerprint=None, trust_level=None, user=None)¶Set the trust level for a key in GPG keychain
CLI Example:
salt '*' gpg.trust_key keyid='3FAD9F1E' trust_level='marginally'
salt '*' gpg.trust_key fingerprint='53C96788253E58416D20BCD352952C84C3252192' trust_level='not_trusted'
salt '*' gpg.trust_key keys=3FAD9F1E trust_level='ultimately' user='username'
salt.modules.gpg.
verify
(text=None, user=None, filename=None, gnupghome=None)¶Verify a message or file
CLI Example:
salt '*' gpg.verify text='Hello there. How are you?'
salt '*' gpg.verify filename='/path/to/important.file'
salt '*' gpg.verify filename='/path/to/important.file' use_pasphrase=True