How do I use Salt to securely copy a sensitive file (a cryptographic key) from one specific minion to another specific minion? I don't want any other minion to be able to read the file.
Salt Mine?
The Salt Mine seems to be a logical place to start, but the documentation says:
The Salt Mine is used to collect arbitrary data from Minions and store it on the Master. This data is then made available to all Minions via the
salt.modules.minemodule.
I don't want the data to be made available to all minions, just one. In addition I don't need the periodic refresh—I only need the file to be read whenever I run state.highstate for the destination minion.
cp.push?
Salt's cp.push function seems like a good way to get the file to the master, except:
- it uses the
salt.transport.Channel.send()method which is not guaranteed to be confidential - the master gives the files pushed by
cp.pushglobal read permissions in the master's file system - once the file is on the master, it's not obvious how to get it to the destination minion
Custom External Pillar?
I could write a custom external pillar that somehow reads the file from the source minion (how?) and then makes the file's contents available via a pillar to a second minion. That seems like a lot of effort for a behavior that should be built-in.
Best Answer
This is only a half-answer, but maybe it'll help.
You wrote:
and:
That capability (the file_tree external pillar) is now in salt as of 2015.5.0. See this FAQ.
As for how to get the file from the source minion to the master, the salt paradigm is more for the master to be the source of data. Can you: