Open MurzNN opened 2 years ago
As example of simple workflow implementation to work with secret files we can get the Helm Secrets project, all work with secret files comes down to simple commands:
$ helm secrets enc path/to/file.yaml
$ helm secrets dec path/to/file.yaml
$ helm secrets view path/to/file.yaml
$ helm secrets edit path/to/file.yaml
and that's all! Here is more detailed info about this: https://github.com/jkroepke/helm-secrets/wiki/Usage
So will be glad to have same simple encryption process in SaltStack too!
Looks much better, isn't it?
Not particularly. What happens when you don't want massively long lines?
An option for symmetric encryption may be useful, but what the ciphertext looks like should be irrelevant. In general, asymmetric encryption is a lot safer for Salt's use cases, as the private key never needs to leave the master. Developers should be able to add secrets without also being able to read every existing secret.
Note that you can implement this yourself already, and it could be distributed as a salt extension. https://docs.saltproject.io/en/latest/ref/renderers/index.html#writing-renderers
this is actually a prime candidate for a salt-extension. as it is unlikely to get added directly.
I am working on a Saltstack extension to integrate age: https://github.com/pmuller/saltstack-age
It probably still requires some work, but it is already usable. I published it on PyPI so you can easily install it. Feedbacks appreciated! :)
Is your feature request related to a problem? Please describe. We need an easy way to encrypt secrets like passwords and other sensitive data in Pillar files. Current recommended way is to use GPG protocol, as described here: https://docs.saltproject.io/en/latest/topics/pillar/index.html#pillar-encryption
But it is overcomplicated for most of newbies, as result most of them prefer to store secrets as plaintext rather than deep understanding of gpg techology with it's private-public keys, importing-exporting, manually encrypt and paste PGP messages to files, etc.
Especially with lack of detailed information with examples and howtos in official SaltStack documentation about configuring and using GPG to encrypt Pillar values.
Describe the solution you'd like
age
encryption algorithm is very promising and much simpler than current GPG protocol. Here is more details about it: age-encryption.orgAnd we already have a Python library with support for age: https://pypi.org/project/age/ (and in many other languages too).
As result, many other projects are switching from overcomplicated GPG-PGP algorithms to
age
, because it much easier to understand and produce more compact encrypted values that can be stored as single line in YAML files, and have more other benefits over old-school GPG.So, instead of something like this:
We will got something like this:
Looks much better, isn't it?
For example, Mozilla SOPS already recommends consider age over PGP:
Describe alternatives you've considered Maybe there are some other simple alternatives to
age
, but seem thatage
is the best solution in current days.