{"id":14965259,"url":"https://github.com/pmuller/saltstack-age","last_synced_at":"2026-03-06T23:31:40.240Z","repository":{"id":235503823,"uuid":"790825081","full_name":"pmuller/saltstack-age","owner":"pmuller","description":"age encryption for Saltstack pillar data","archived":false,"fork":false,"pushed_at":"2024-05-07T15:42:54.000Z","size":118,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"develop","last_synced_at":"2025-10-25T11:43:51.358Z","etag":null,"topics":["age","encryption","pillar","saltstack"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pmuller.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-23T15:43:55.000Z","updated_at":"2024-07-17T02:23:15.000Z","dependencies_parsed_at":"2024-04-30T06:54:33.055Z","dependency_job_id":"4e45215a-9b25-417b-9e04-3cdb940ade43","html_url":"https://github.com/pmuller/saltstack-age","commit_stats":null,"previous_names":["pmuller/saltstack-age-renderer","pmuller/saltstack-age"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/pmuller/saltstack-age","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmuller%2Fsaltstack-age","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmuller%2Fsaltstack-age/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmuller%2Fsaltstack-age/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmuller%2Fsaltstack-age/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pmuller","download_url":"https://codeload.github.com/pmuller/saltstack-age/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmuller%2Fsaltstack-age/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30203336,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T19:07:06.838Z","status":"ssl_error","status_checked_at":"2026-03-06T18:57:34.882Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["age","encryption","pillar","saltstack"],"created_at":"2024-09-24T13:34:29.630Z","updated_at":"2026-03-06T23:31:40.214Z","avatar_url":"https://github.com/pmuller.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Saltstack renderer for age-encrypted secrets\n\nThis project introduces a [SaltStack](https://saltproject.io/) renderer\nintegrated with [age](https://age-encryption.org/),\na modern and simple encryption tool.\nSaltStack is an open-source configuration management system that allows you to\nautomate the setup, deployment, and management of your infrastructure.\nIntegrating age encryption enhances SaltStack by providing a secure method to\nhandle secrets.\n\nBy using age, this renderer allows you to securely store encrypted secrets\ndirectly in your source control.\nThis is particularly useful for environments where security and privacy are\nparamount.\nOnly Salt masters (or masterless minions) configured with the appropriate age\nidentity or passphrase can decrypt these secrets, ensuring that sensitive\ninformation remains protected even if source control is compromised.\n\nThe typical use case for this extension involves encrypting secrets stored in\nSalt's pillar data,\nenhancing security without sacrificing convenience or functionality.\n\n## Requirements\n\nThis package has been tested with Saltstack 3007.0 on Ubuntu 22.04.4 LTS\n(Jammy Jellyfish).\n\n## Installation\n\nIf you use the [official Saltstack package](https://repo.saltproject.io/),\nyou can simply install it using:\n\n```sh\nsudo salt-pip install saltstack-age\n```\n\n## Configuration\n\nage can be used to encrypt data using either a passphrase or an identity file.\nThis extension supports both, and they can be defined either in the Saltstack\ndaemon configuration file, or in the daemon environment.\n\n| Type         | Configuration directive | Environment variable | Expected value               |\n| ------------ | ----------------------- | -------------------- | ---------------------------- |\n| identity     | `age_identity_file`     | `AGE_IDENTITY_FILE`  | Path of an age identity file |\n| identity     | `age_identity`          | `AGE_IDENTITY`       | An age identity string       |\n| passphrase   | `age_passphrase`        | `AGE_PASSPHRASE`     | An age passphrase            |\n\nYou can check this [example configuration](./example/config/minion).\n\n## Secret encryption\n\nEncrypted secrets are formatted as `ENC[age-passphrase,CIPHERTEXT]` or\n`ENC[age-identity,CIPHERTEXT]`, depending on the encryption type.\n`CIPHERTEXT` is the age-encrypted value, encoded with base64.\n\nThis package provides a handy CLI tool to make it easier:\n\n```sh\n$ saltstack-age -P secret-passphrase enc secret-value\nENC[age-passphrase,YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCB1QndwT3dJejhaSEtZZlIxeFEvZk5RIDIwCmhrcm9OY0tTOWdwNkhWbDdadlNIOHRFYmFLdkpZSjhLTktTWXhZVHFHKzgKLS0tIHFJWVRNc0JzTkpKNHJ1TFBuZ2tybWt0WWVQR0wrbjVnMmlZYzRaWVlBbFkKPWQu4lawaAu1owDXPDwwmj9/tN9/5NF/Avd4jPrLoy/ugUb0ciqm8H5My44=]\n```\n\n\u003e [!CAUTION]\n\u003e While it is convenient to pass all arguments to the command-line,\n\u003e be careful to not leak credentials while doing it.\n\nThe tool exposes multiple options to provide the passphrase and identity files.\nYou can see them in details by reading its help: `saltstack-age --help`.\n\n## Pillar data formatting\n\nThe renderer must be specified on the first line of the pillar data files that\ncontain encrypted values:\n\n```yaml\n#!yaml|age\n```\n\nThen you can define your secret values as:\n\n```yaml\n#!yaml|age\nsecret: ENC[age-passphrase,YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCB1QndwT3dJejhaSEtZZlIxeFEvZk5RIDIwCmhrcm9OY0tTOWdwNkhWbDdadlNIOHRFYmFLdkpZSjhLTktTWXhZVHFHKzgKLS0tIHFJWVRNc0JzTkpKNHJ1TFBuZ2tybWt0WWVQR0wrbjVnMmlZYzRaWVlBbFkKPWQu4lawaAu1owDXPDwwmj9/tN9/5NF/Avd4jPrLoy/ugUb0ciqm8H5My44=]\n```\n\nFor reference, you can read this [example](./example/).\n\n## FAQ\n\n### Why did you write this extension?\n\nAs a fan of GPG, I explored the\n[GPG renderer](https://docs.saltproject.io/en/latest/ref/renderers/all/salt.renderers.gpg.html)\noffered by SaltStack.\nWhile GPG is robust, I found it somewhat cumbersome for smaller projects.\nThe simplicity and effectiveness of age encryption inspired me to develop this\nextension,\nproviding a straightforward solution for managing secrets in Salt environments.\n\n### Do I need to install age separately?\n\nNo, there's no need to install age separately.\nThis extension utilizes [pyrage](https://github.com/woodruffw/pyrage),\na Python wrapper that embeds [rage](https://github.com/str4d/rage),\na Rust implementation of age.\nIt simplifies the installation process by embedding all necessary functionality\nwithin the extension itself.\n\n### How do I ensure my secrets are secure when using this extension?\n\nTo maximize security:\n- Always use secure channels for transferring sensitive information,\n  including age identities and passphrases.\n- Store your age identities and passphrases securely, using environment\n  variables or secure files that are not checked into source control.\n- Be cautious with logging and command-line usage as these can inadvertently\n  expose sensitive information if not handled properly.\n\nTo ensure calls to the `saltstack-age` command are never logged in your\nbash history, add it to your\n[HISTIGNORE](https://www.gnu.org/software/bash/manual/html_node/Bash-Variables.html#index-HISTIGNORE)\nvariable.\n\n### What should I do if I encounter errors during encryption or decryption?\n\nFirst, verify that your age identities and passphrases are correctly configured\nand accessible to the Salt master or minion. Check for typos or incorrect paths\nin your configuration.\nIf the issue persists, refer to the detailed error messages provided by Salt and\nage for further troubleshooting.\nYou can also seek help from the Salt community\nor the issue tracker for this project.\nPlease provide your entire configuration so we can reproduce the error\n(and use throwaway credentials to do so).\n\n### Where can I find more resources?\n\nFor more detailed guidance on using age,\nvisit the official [age documentation](https://age-encryption.org/).\nFor SaltStack, consult the\n[SaltStack documentation](https://docs.saltproject.io/) and community forums.\nThese resources offer comprehensive information and community-driven support\nthat can help you effectively utilize age encryption in your SaltStack projects.\n\n## Development\n\n* Environment is managed with [rye](https://rye-up.com/)\n* Create a virtualenv: `rye sync`\n* Check typing: `rye run basedpyright`\n* Check formatting with ruff: `rye fmt -- --check`\n* Check linting with ruff: `rye check`\n* Run tests: `rye run pytest`\n\nSee [workflow](./.github/workflows/build.yaml) for reference.\n\n## Release\n\n* Build package: `rye build --clean --wheel`\n* Publish package: `rye publish`\n\nSee [workflow](./.github/workflows/release.yaml) for reference.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmuller%2Fsaltstack-age","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpmuller%2Fsaltstack-age","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmuller%2Fsaltstack-age/lists"}