Manage a GPG keychains, add keys, create keys, retrieve keys from keyservers. Sign, encrypt and sign plus encrypt text and files.
New in version 2015.5.0.
Note
The python-gnupg
library and gpg
binary are required to be
installed.
salt.modules.gpg.
create_key
(*args, **kwargs)¶Create a key in the GPG keychain
Note
GPG key generation requires a lot of entropy and randomness. Difficult to do over a remote connection, consider having another process available which is generating randomness for the machine. Also especially difficult on virtual machines, consider the rng-tools package.
The create_key process takes awhile so increasing the timeout may be necessary, e.g. -t 15.
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt -t 15 '*' gpg.create_key
salt.modules.gpg.
decrypt
(user=None, text=None, filename=None, output=None, use_passphrase=False, gnupghome=None, bare=False)¶Decrypt a message or file
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.True
, return the (armored) decrypted block as a string without the
standard comment/res dict.CLI Example:
salt '*' gpg.decrypt filename='/path/to/important.file.gpg'
salt '*' gpg.decrypt filename='/path/to/important.file.gpg' use_pasphrase=True
salt.modules.gpg.
delete_key
(keyid=None, fingerprint=None, delete_secret=False, user=None, gnupghome=None)¶Get a key from the GPG keychain
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.delete_key keyid=3FAD9F1E
salt '*' gpg.delete_key fingerprint=53C96788253E58416D20BCD352952C84C3252192
salt '*' gpg.delete_key keyid=3FAD9F1E user=username
salt '*' gpg.delete_key keyid=3FAD9F1E user=username delete_secret=True
salt.modules.gpg.
encrypt
(user=None, recipients=None, text=None, filename=None, output=None, sign=None, use_passphrase=False, gnupghome=None, bare=False)¶Encrypt a message or file
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.True
to use
default key or fingerprint to specify a different key to sign with.True
, return the (armored) encrypted block as a string without
the standard comment/res dict.CLI Example:
salt '*' gpg.encrypt text='Hello there. How are you?'
salt '*' gpg.encrypt filename='/path/to/important.file'
salt '*' gpg.encrypt filename='/path/to/important.file' use_pasphrase=True
salt.modules.gpg.
export_key
(keyids=None, secret=False, user=None, gnupghome=None)¶Export a key from the GPG keychain
keyids
information passed.salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.export_key keyids=3FAD9F1E
salt '*' gpg.export_key keyids=3FAD9F1E secret=True
salt '*' gpg.export_key keyids="['3FAD9F1E','3FBD8F1E']" user=username
salt.modules.gpg.
get_key
(keyid=None, fingerprint=None, user=None, gnupghome=None)¶Get a key from the GPG keychain
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.get_key keyid=3FAD9F1E
salt '*' gpg.get_key fingerprint=53C96788253E58416D20BCD352952C84C3252192
salt '*' gpg.get_key keyid=3FAD9F1E user=username
salt.modules.gpg.
get_secret_key
(keyid=None, fingerprint=None, user=None, gnupghome=None)¶Get a key from the GPG keychain
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.get_secret_key keyid=3FAD9F1E
salt '*' gpg.get_secret_key fingerprint=53C96788253E58416D20BCD352952C84C3252192
salt '*' gpg.get_secret_key keyid=3FAD9F1E user=username
salt.modules.gpg.
import_key
(*args, **kwargs)¶Import a key from text or file
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.import_key text='-----BEGIN PGP PUBLIC KEY BLOCK-----\n ... -----END PGP PUBLIC KEY BLOCK-----'
salt '*' gpg.import_key filename='/path/to/public-key-file'
salt.modules.gpg.
list_keys
(user=None, gnupghome=None)¶List keys in GPG keychain
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.list_keys
salt.modules.gpg.
list_secret_keys
(user=None, gnupghome=None)¶List secret keys in GPG keychain
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.list_secret_keys
salt.modules.gpg.
receive_keys
(*args, **kwargs)¶Receive key(s) from keyserver and add them to keychain
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.receive_keys keys='3FAD9F1E'
salt '*' gpg.receive_keys keys="['3FAD9F1E','3FBD9F2E']"
salt '*' gpg.receive_keys keys=3FAD9F1E user=username
salt.modules.gpg.
search_keys
(text, keyserver=None, user=None)¶Search keys from keyserver
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.search_keys user@example.com
salt '*' gpg.search_keys user@example.com keyserver=keyserver.ubuntu.com
salt '*' gpg.search_keys user@example.com keyserver=keyserver.ubuntu.com user=username
salt.modules.gpg.
sign
(user=None, keyid=None, text=None, filename=None, output=None, use_passphrase=False, gnupghome=None)¶Sign message or file
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.sign text='Hello there. How are you?'
salt '*' gpg.sign filename='/path/to/important.file'
salt '*' gpg.sign filename='/path/to/important.file' use_pasphrase=True
salt.modules.gpg.
trust_key
(keyid=None, fingerprint=None, trust_level=None, user=None)¶Set the trust level for a key in GPG keychain
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.trust_key keyid='3FAD9F1E' trust_level='marginally'
salt '*' gpg.trust_key fingerprint='53C96788253E58416D20BCD352952C84C3252192' trust_level='not_trusted'
salt '*' gpg.trust_key keys=3FAD9F1E trust_level='ultimately' user='username'
salt.modules.gpg.
verify
(text=None, user=None, filename=None, gnupghome=None)¶Verify a message or file
salt
will set the GnuPG home directory to the
/etc/salt/gpgkeys
.CLI Example:
salt '*' gpg.verify text='Hello there. How are you?'
salt '*' gpg.verify filename='/path/to/important.file'
salt '*' gpg.verify filename='/path/to/important.file' use_pasphrase=True