generate-secure-pillar [global options] command [command options] [arguments...]
Ed Silva ed.silva@everbridge.com
brew tap esilva-everbridge/homebrew-generate-secure-pillar
brew install generate-secure-pillar
The PGP keys you import for use with this tool need to be 'trusted' keys. An easy way to do this is, after importing a key, run the following commands:
expect -c "spawn gpg --edit-key '<the PGP key id here>' trust quit; send \"5\ry\r\"; expect eof"
(found here: https://gist.github.com/chrisroos/1205934#gistcomment-2203760)
create, c create a new sls file
update, u update the value of the given key in the given file
encrypt, e perform encryption operations
decrypt, d perform decryption operations
rotate, r decrypt existing files and re-encrypt with a new key
keys, k show PGP key IDs used
help, h Shows a list of commands or help for one command
- --pubring value, --pub value PGP public keyring (default: "~/.gnupg/pubring.gpg")
- --secring value, --sec value PGP private keyring (default: "~/.gnupg/secring.gpg")
- --pgp_key value, -k value PGP key name, email, or ID to use for encryption
- --debug adds line number info to log output
- --element value, -e value Name of the top level element under which encrypted key/value pairs are kept
- --help, -h show help
- --version, -v print the version
(c) 2018 Everbridge, Inc.
CAVEAT: YAML files with include statements are not handled properly, so we skip them.
$ generate-secure-pillar -k "Salt Master" create --name secret_name1 --value secret_value1 --name secret_name2 --value secret_value2 --outfile new.sls
$ generate-secure-pillar -k "Salt Master" update --name new_secret_name --value new_secret_value --file new.sls
$ generate-secure-pillar -k "Salt Master" update --name secret_name --value secret_value3 --file new.sls
$ generate-secure-pillar -k "Salt Master" encrypt all --file us1.sls --outfile us1.sls
$ generate-secure-pillar -k "Salt Master" encrypt all --file us1.sls --update
$ generate-secure-pillar -k "Salt Master" --element secret_stuff encrypt all --file us1.sls --outfile us1.sls
$ generate-secure-pillar -k "Salt Master" encrypt recurse -d /path/to/pillar/secure/stuff
$ generate-secure-pillar decrypt recurse -d /path/to/pillar/secure/stuff
$ generate-secure-pillar decrypt path --path "some:yaml:path" --file new.sls
$ generate-secure-pillar -k "New Salt Master Key" rotate -d /path/to/pillar/secure/stuff
$ generate-secure-pillar keys all --file us1.sls
$ generate-secure-pillar keys recurse -d /path/to/pillar/secure/stuff
$ generate-secure-pillar keys path --path "some:yaml:path" --file new.sls