3

How do I use Salt to securely copy a sensitive file (a cryptographic key) from one specific minion to another specific minion? I don't want any other minion to be able to read the file.

Salt Mine?

The Salt Mine seems to be a logical place to start, but the documentation says:

The Salt Mine is used to collect arbitrary data from Minions and store it on the Master. This data is then made available to all Minions via the salt.modules.mine module.

I don't want the data to be made available to all minions, just one. In addition I don't need the periodic refresh—I only need the file to be read whenever I run state.highstate for the destination minion.

cp.push?

Salt's cp.push function seems like a good way to get the file to the master, except:

  • it uses the salt.transport.Channel.send() method which is not guaranteed to be confidential
  • the master gives the files pushed by cp.push global read permissions in the master's file system
  • once the file is on the master, it's not obvious how to get it to the destination minion

Custom External Pillar?

I could write a custom external pillar that somehow reads the file from the source minion (how?) and then makes the file's contents available via a pillar to a second minion. That seems like a lot of effort for a behavior that should be built-in.

Richard Hansen
  • 3,640
  • 1
  • 18
  • 17
  • Did you ever determine a solution to this problem? I'm trying to solve this same problem right now, and I can't find a solution. I've seen your name pop up in different places asking this question, so I hope you were able to get a suitable answer. – Nick2253 Feb 06 '18 at 16:25

1 Answers1

0

This is only a half-answer, but maybe it'll help.

You wrote:

once the file is on the master, it's not obvious how to get it to the destination minion

and:

I could write a custom external pillar that somehow ... makes the file's contents available via a pillar to a second minion.

That capability (the file_tree external pillar) is now in salt as of 2015.5.0. See this FAQ.

As for how to get the file from the source minion to the master, the salt paradigm is more for the master to be the source of data. Can you:

  • Have whatever rotates the key write it to the master?
  • Trigger an event that a reactor goes and fetches it via scp?
  • Set up a shared NFS mount between the two minions that want to share the key (or the source minion and master)?
  • Set up an https webserver on the source minion with ACLs that allow only access to either the master or the dest minion?
John Hazen
  • 156
  • 3
  • Thank you for your answer. The difficulty in sharing the file uploaded by `cp.push` via a pillar is robustly knowing where the file is. As far as I can tell, there's no clearly documented API for determining the name of the directory on the master where `cp.push` stores its files. – Richard Hansen Mar 23 '16 at 22:57
  • I can certainly use a non-Salt method to securely transfer the file, but I wanted to do this all entirely within Salt. Salt already has a bidirectional communication channel and keys for each side, so the basic infrastructure is in place... – Richard Hansen Mar 23 '16 at 22:58