Task: GPG physical backup -- Salt master private key disaster recovery #215

New issue

Open

opened 2026-03-28 02:06:54 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-28 02:06:54 +00:00

Owner

Type

Task

Scope

Create a physical backup of the Salt master GPG private key. This is the single point of failure for the entire secret trust chain. If this key is lost and the NVMe dies, all GPG-encrypted pillar data is permanently unrecoverable.

Key details:

Fingerprint: EE61A629AA7138A75AEF783481A03D1CF874DC90
Key ID: 81A03D1CF874DC90
Identity: Salt Master (pal-e-platform) salt@pal-e.local
Algorithm: RSA 4096, no passphrase, no expiry
Keyring locations: /home/ldraney/.gnupg/ (user) + /etc/salt/gpgkeys/ (Salt master)

Steps:

Export private key: gpg --export-secret-keys --armor 81A03D1CF874DC90 > /tmp/salt-master-gpg.asc
Paper backup: print ASCII-armored key, store in safe/fireproof box
Encrypted USB: copy to encrypted USB drive, store separately from paper
Verify: import on test keyring and decrypt a test pillar value
Record backup location and verification date in secrets_registry.sls
Shred temp file: shred -u /tmp/salt-master-gpg.asc

Priority: Medium-high -- cheap insurance against catastrophic data loss.

Migrated from todo-gpg-physical-backup in pal-e-docs.

Acceptance Criteria

Physical backup exists in at least 2 separate locations (paper + encrypted USB)
Backup verified by test import and decrypt of a pillar value
Backup location and verification date recorded in secrets_registry.sls

pal-e-platform -- project
plan-2026-02-26-salt-host-management -- source plan (completed)

### Type Task ### Scope Create a physical backup of the Salt master GPG private key. This is the single point of failure for the entire secret trust chain. If this key is lost and the NVMe dies, all GPG-encrypted pillar data is permanently unrecoverable. Key details: - Fingerprint: `EE61A629AA7138A75AEF783481A03D1CF874DC90` - Key ID: `81A03D1CF874DC90` - Identity: Salt Master (pal-e-platform) salt@pal-e.local - Algorithm: RSA 4096, no passphrase, no expiry - Keyring locations: `/home/ldraney/.gnupg/` (user) + `/etc/salt/gpgkeys/` (Salt master) Steps: 1. Export private key: `gpg --export-secret-keys --armor 81A03D1CF874DC90 > /tmp/salt-master-gpg.asc` 2. Paper backup: print ASCII-armored key, store in safe/fireproof box 3. Encrypted USB: copy to encrypted USB drive, store separately from paper 4. Verify: import on test keyring and decrypt a test pillar value 5. Record backup location and verification date in `secrets_registry.sls` 6. Shred temp file: `shred -u /tmp/salt-master-gpg.asc` Priority: Medium-high -- cheap insurance against catastrophic data loss. Migrated from `todo-gpg-physical-backup` in pal-e-docs. ### Acceptance Criteria - [ ] Physical backup exists in at least 2 separate locations (paper + encrypted USB) - [ ] Backup verified by test import and decrypt of a pillar value - [ ] Backup location and verification date recorded in `secrets_registry.sls` ### Related - `pal-e-platform` -- project - `plan-2026-02-26-salt-host-management` -- source plan (completed)