salt.modules.nacl

requires:libnacl

https://github.com/saltstack/libnacl

This module helps include encrypted passwords in pillars, grains and salt state files. This is often usefull if you wish to store your pillars in source control or share your pillar data with others that you trust. I dont advise making your pillars public regardless if they are encrypted or not.

When generating keys and encrypting passwords use --local when using salt-call for extra security. Also consider using just the salt runner nacl when encrypting pillar passwords.

The nacl lib uses 32byte keys, these keys are base64 encoded to make your life more simple. To generate your key or keyfile you can use:

salt-call --local nacl.keygen keyfile=/root/.nacl

Now with your key, you can encrypt some data

salt-call --local nacl.enc mypass keyfile=/root/.nacl DRB7Q6/X5gGSRCTpZyxS6hXO5LnlJIIJ4ivbmUlbWj0llUA+uaVyvou3vJ4=

To decrypt the data

salt-call --local nacl.dec data='DRB7Q6/X5gGSRCTpZyxS6hXO5LnlJIIJ4ivbmUlbWj0llUA+uaVyvou3vJ4=' keyfile=/root/.nacl mypass

The following optional configurations can be defined in the minion or master config. Avoide storeing the config in pillars!

cat /etc/salt/master.d/nacl.conf nacl.config:

key: None keyfile: /root/.nacl

When the key is defined in the master config you can use it from the nacl runner:

salt-run nacl.enc 'myotherpass'

Now you can create a pillar with protected data like:

pillarexample:
user: root password: {{ salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hXO5LnlJIIJ4ivbmUlbWj0llUA+uaVyvou3vJ4=') }}

Or do somthing interesting with grains like:

salt-call nacl.enc minionname:dbrole AL24Z2C5OlkReer3DuQTFdrNLchLuz3NGIhGjZkLtKRYry/b/CksWM8O9yskLwH2AGVLoEXI5jAa

salt minionname grains.setval role 'AL24Z2C5OlkReer3DuQTFdrNLchLuz3NGIhGjZkLtKRYry/b/CksWM8O9yskLwH2AGVLoEXI5jAa'

{%- set r = grains.get('role') %} {%- set role = None %} {%- if r and 'nacl.dec' in salt %}

{%- set r = salt['nacl.dec'](r,keyfile='/root/.nacl').split(':') %} {%- if opts['id'] == r[0] %}

{%- set role = r[1] %}

{%- endif %}

{%- endif %} base:

{%- if role %} '{{ opts['id'] }}':

  • {{ role }}

{%- endif %}

salt.modules.nacl.dec(data, **kwargs)

Takes a key generated from nacl.keygen and decrypt some data.

CLI Examples:

salt-call --local nacl.dec pEXHQM6cuaF7A=
salt-call --local nacl.dec data='pEXHQM6cuaF7A=' keyfile=/root/.nacl
salt-call --local nacl.dec data='pEXHQM6cuaF7A=' key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k='
salt.modules.nacl.enc(data, **kwargs)

Takes a key generated from nacl.keygen and encrypt some data.

CLI Examples:

salt-call --local nacl.enc datatoenc
salt-call --local nacl.enc datatoenc keyfile=/root/.nacl
salt-call --local nacl.enc datatoenc key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k='
salt.modules.nacl.keygen(keyfile=None)

Use libnacl to generate a private key

CLI Examples:

salt-call --local nacl.keygen
salt-call --local nacl.keygen keyfile=/root/.nacl
salt-call --local --out=newline_values_only nacl.keygen > /root/.nacl