This runner helps create encrypted passwords that can be included in pillars.


This is often useful if you wish to store your pillars in source control or share your pillar data with others that you trust. I don't advise making your pillars public regardless if they are encrypted or not.

The following configurations can be defined in the master config so your users can create encrypted passwords using the runner nacl:

cat /etc/salt/master.d/nacl.conf
    key: 'cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k='
    keyfile: /root/.nacl

Now with the config in the master you can use the runner nacl like:

salt-run nacl.enc 'data'
salt.runners.nacl.dec(data, **kwargs)

Takes a key generated from nacl.keygen and decrypt some data.

CLI Examples:

salt-run nacl.dec pEXHQM6cuaF7A=
salt-run nacl.dec data='pEXHQM6cuaF7A=' keyfile=/root/.nacl
salt-run nacl.dec data='pEXHQM6cuaF7A=' key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k='
salt.runners.nacl.enc(data, **kwargs)

Takes a key generated from nacl.keygen and encrypt some data.

CLI Examples:

salt-run nacl.enc datatoenc
salt-run nacl.enc datatoenc keyfile=/root/.nacl
salt-run nacl.enc datatoenc key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k='

Use libnacl to generate a private key

CLI Examples:

salt-run nacl.keygen
salt-run nacl.keygen keyfile=/root/.nacl
salt-run --out=newline_values_only nacl.keygen > /root/.nacl