Encrypted pillars & secrets
GPG-encrypted data and backends.
Pillar keeps sensitive data targeted, but on the master it still sits in plaintext files unless you encrypt it. Salt’s GPG renderer solves this: you encrypt secret values with the master’s GPG public key, store the ciphertext in pillar SLS (safe in Git), and the master decrypts at render time with its private key before delivering the value to entitled minions. It is Salt’s equivalent of Ansible Vault, SOPS, or Puppet’s eyaml.
#!yaml|gpgdb:password: |-----BEGIN PGP MESSAGE-----hQEMA...ciphertext... # encrypted to the master’s GPG key-----END PGP MESSAGE-----# echo -n 'S3cr3t!' | gpg --armor --encrypt -r salt@master produces this
External secret backends
For real secret management, Salt integrates with external stores through pillar and SDB (Salt Database): a Vault ext_pillar or the sdb:// URI fetches secrets from HashiCorp Vault at render time, so the source of truth stays in Vault and nothing durable lives in the Salt tree. This is the strongest pattern — Salt requests the secret when it needs it, with Vault handling rotation, audit, and access control.
# /etc/salt/master — pull pillar from Vaultext_pillar:- vault: path=secret/data/salt# reference a secret via sdb in a state/pillar:# password: {{ salt['sdb.get']('sdb://myvault/secret/db/password') }}