[FEATURE REQUEST] Add support for modern `age` encryption algorithm to encrypt Pillar values

[MurzNN]

Is your feature request related to a problem? Please describe. We need an easy way to encrypt secrets like passwords and other sensitive data in Pillar files. Current recommended way is to use GPG protocol, as described here: https://docs.saltproject.io/en/latest/topics/pillar/index.html#pillar-encryption

But it is overcomplicated for most of newbies, as result most of them prefer to store secrets as plaintext rather than deep understanding of gpg techology with it's private-public keys, importing-exporting, manually encrypt and paste PGP messages to files, etc.

Especially with lack of detailed information with examples and howtos in official SaltStack documentation about configuring and using GPG to encrypt Pillar values.

Describe the solution you'd like age encryption algorithm is very promising and much simpler than current GPG protocol. Here is more details about it: age-encryption.org

And we already have a Python library with support for age: https://pypi.org/project/age/ (and in many other languages too).

As result, many other projects are switching from overcomplicated GPG-PGP algorithms to age, because it much easier to understand and produce more compact encrypted values that can be stored as single line in YAML files, and have more other benefits over old-school GPG.

So, instead of something like this:

secrets:
  vault:
    foo: |
      -----BEGIN PGP MESSAGE-----

      hQEMAw2B674HRhwSAQgAhTrN8NizwUv/VunVrqa4/X8t6EUulrnhKcSeb8sZS4th
      W1Qz3K2NjL4lkUHCQHKZVx/VoZY7zsddBIFvvoGGfj8+2wjkEDwFmFjGE4DEsS74
      ZLRFIFJC1iB/O0AiQ+oU745skQkU6OEKxqavmKMrKo3rvJ8ZCXDC470+i2/Hqrp7
      +KWGmaDOO422JaSKRm5D9bQZr9oX7KqnrPG9I1+UbJyQSJdsdtquPWmeIpamEVHb
      VMDNQRjSezZ1yKC4kCWm3YQbBF76qTHzG1VlLF5qOzuGI9VkyvlMaLfMibriqY73
      zBbPzf6Bkp2+Y9qyzuveYMmwS4sEOuZL/PetqisWe9JGAWD/O+slQ2KRu9hNww06
      KMDPJRdyj5bRuBVE4hHkkP23KrYr7SuhW2vpe7O/MvWEJ9uDNegpMLhTWruGngJh
      iFndxegN9w==
      =bAuo
      -----END PGP MESSAGE-----
    bar: this was unencrypted already

We will got something like this:

secrets:
  vault:
    foo: ENC[AES256_GCM,data:b0QiOeVZx9viV/wzyrCazxckDhM=,iv:Gk5pjSAnKj4mDHsuvwdKCl953ltJBrIP02qxgoiQuyI=,tag:v66h/nT5SN/5htaXpE4yeg==,type:str]
    bar: this was unencrypted already

Looks much better, isn't it?

For example, Mozilla SOPS already recommends consider age over PGP:

age is a simple, modern, and secure tool for encrypting files. It's recommended to use age over PGP, if possible.

Describe alternatives you've considered Maybe there are some other simple alternatives to age, but seem that age is the best solution in current days.

[MurzNN]

As example of simple workflow implementation to work with secret files we can get the Helm Secrets project, all work with secret files comes down to simple commands:

$ helm secrets enc path/to/file.yaml
$ helm secrets dec path/to/file.yaml
$ helm secrets view path/to/file.yaml
$ helm secrets edit path/to/file.yaml

and that's all! Here is more detailed info about this: https://github.com/jkroepke/helm-secrets/wiki/Usage

So will be glad to have same simple encryption process in SaltStack too!

[OrangeDog]

Looks much better, isn't it?

Not particularly. What happens when you don't want massively long lines?

An option for symmetric encryption may be useful, but what the ciphertext looks like should be irrelevant. In general, asymmetric encryption is a lot safer for Salt's use cases, as the private key never needs to leave the master. Developers should be able to add secrets without also being able to read every existing secret.

Note that you can implement this yourself already, and it could be distributed as a salt extension. https://docs.saltproject.io/en/latest/ref/renderers/index.html#writing-renderers

[whytewolf]

this is actually a prime candidate for a salt-extension. as it is unlikely to get added directly.

[pmuller]

I am working on a Saltstack extension to integrate age: https://github.com/pmuller/saltstack-age

It probably still requires some work, but it is already usable. I published it on PyPI so you can easily install it. Feedbacks appreciated! :)