Managing Secrets Using SaltStack and Pillar
2020-02-03, 16:50–17:40, B.2.011

When using any sort of automation system for either remote execution or configuration management, one of the major advantages is the ability to reduce repetitive tasks. Often tasks in these scenarios involve using sensitive information such as passwords. In this talk we’ll look at how the SaltStack Pillar system can be used to store secrets and securely provide them to only the Salt minions that should have access to them. We'll look at how we can take advantage of external systems to store our Pillar data.


When using any sort of automation system for either remote execution or configuration management, one of the major advantages is the ability to reduce repetition. By using state files with SaltStack, commonly used tasks can be automated so that the next time these tasks need to be performed the action is repeatable and consistent. Often tasks in these scenarios involve using sensitive information such as passwords and the need to securely store and securely provide that information arises. This is where the Salt Pillar system comes in.

In this talk we’ll walk through some basic usage of the Pillar system, including the ability to target data at specific Salt minions. We'll look at ways Pillar can help us reuse state files in multiple environments such as Dev, QA, and Production. We'll also look at ways that data can be stored encrypted while at rest using tools such as GPG. Finally, we'll look at storing pillar data in external systems such as databases like MySQL, source control systems like Git, and Hashicorp Vault.

The talk will include: * A brief introduction to Salt Stack. * Using SaltStack Pillar to store and provide secrets. * Ways to encrypt the data managed by Pillar. * Storing and retrieving Pillar using external systems such as Hashicorp Vault.