Password Security with GPG in Salt on openSUSE Leap 15.0

We are creating a deployment of openSUSE clients with Salt. Kerberos needs password authentication. Therefore, we want to encrypt passwords before using them in Salt. I want to explain how to integrate that all.

At first, you have to install gpg, python-gnupg and python-pip. openSUSE wants to install only the package python-python-gnupg which isn’t enough for Salt. You have to use additionally pip install python-gpg.

After that, you have to create the directory /etc/salt/gpgkeys with mkdir. That will be the home directory for the decryption key of Salt. Then you can create a password less key in this directory. Salt is not able to enter any password for encryption.

# gpg --gen-key --pinentry-mode loopback --homedir /etc/salt/gpgkeys
gpg (GnuPG) 2.2.5; Copyright (C) 2018 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg2 --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Salt-Master
Email address:
You selected this USER-ID:"Salt-Master <>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B24D083B4A54DB47 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/6632312B6E178E0031B9C8E8B24D083B4A54DB47.rev'
public and secret key created and signed.

pub   rsa2048 2019-02-05 [SC] [expires: 2021-02-04]
uid   Salt-Master <>
sub   rsa2048 2019-02-05 [E] [expires: 2021-02-04]

After that you have to export and import your public and secret key in an importable format. Salt can not decrypt passwords without the Secret Key.

# gpg --homedir /etc/salt/gpgkeys --export-secret-keys --armor > /etc/salt/gpgkeys/Salt-Master.key
# gpg --homedir /etc/salt/gpgkeys --armor --export > /etc/salt/gpgkeys/Salt-Master.gpg
# gpg --import Salt-Master.key
gpg: key 9BE990C7DBD19726: public key "Salt-Master <>" imported
gpg: key 9BE990C7DBD19726: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

# gpg --import
gpg: key 9BE990C7DBD19726: "Salt-Master <>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

The key has the validity unknown at the moment. We have to trust that. Therefore, we have to edit the key, trust that, enter a 5 for utimately and save that.

# gpg --key-edit Salt-Master
gpg (GnuPG) 2.2.5; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/3580EA8183E8E03E
     created: 2019-02-05  expires: 2021-02-04  usage: SC
     trust: unknown       validity: unknown
ssb  rsa2048/4ABC9E975BD76370
     created: 2019-02-05  expires: 2021-02-04  usage: E
[ unknown] (1). Salt-Master <>

gpg> trust
sec  rsa2048/3580EA8183E8E03E
     created: 2019-02-05  expires: 2021-02-04  usage: SC
     trust: unknown       validity: unknown
ssb  rsa2048/4ABC9E975BD76370
     created: 2019-02-05  expires: 2021-02-04  usage: E
[ unknown] (1). Salt-Master <>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

sec  rsa2048/3580EA8183E8E03E
     created: 2019-03-07  expires: 2021-03-06  usage: SC
     trust: ultimate      validity: unknown
ssb  rsa2048/4ABC9E975BD76370
     created: 2019-03-07  expires: 2021-03-06  usage: E
[ unknown] (1). Salt-Master <>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> save

So the key is validity and usable. You can see your keys listed with following commands.

# gpg --list-keys
# gpg --homedir /etc/salt/gpgkeys --list-keys

Salt needs access to the key for decryption. Therefore, you have to change permissions on /etc/salt/gpgkeys.

# chmod 0700 /etc/salt/gpgkeys
# chown -R salt /etc/salt/gpgkeys

We can decrypt passwords with the key now. Replace supersecret with your password and Salt-Master with the name of the key.

# echo -n "supersecret" | gpg --armor --batch --trust-model always --encrypt -r "Salt-Master"
    -----BEGIN PGP MESSAGE-----

    -----END PGP MESSAGE-----

The output is a Base64 encoded PGP Message. You can use that in your sls file (in my case kerberos.sls) in the pillar directory.

  principal: X95A
  password: |
    -----BEGIN PGP MESSAGE-----

    -----END PGP MESSAGE-----

Salt is not able to distinguish encrypted from non-encrypted strings at the moment.

You have to uncomment the entry gpg_keydir: and add /etc/salt/gpgkeys in the salt-master configuration of /etc/salt/master. In addition, you can find the part with decrypt_pillar:. In my case, I add – ‚kerberos:password‘: gpg there.

You need a restart of the service salt-master. Afterwards Salt knows, that the special pillar entry has to be decrypted with gpg. Following you can run the sls file on any salt client and Salt can use the password.

At the end you should remove the command with your password for the PGP Message creation in your bash history. Therefore, edit ~/.bash_history and remove the entry with echo. So nobody can figure out the secure encrypted password for the user.

Running for the openSUSE Board again…

One period is more quickly left than you can imagine and I am running for re-election for the openSUSE Board!
My name is Sarah Julia Kriesch and I am a work experienced Student in Computer Science at 2 universities.
I am completing my Study Abroad Semester at the University of Bristol at the moment and I have a running IT project at my home university Nuremberg Institute of Technology Georg Simon Ohm. In addition, I am working as a Student Research Assistant at my home university.

A lot has happened in the last years and I try to combine my studies with openSUSE Contributions as best as possible. I am the Founder of the Working Group Open Source  at the Faculty of Computer Science of the Nuremberg Institute of Technology. We offer workshops in Linux and Open Source bi-weekly. These are open for Students by other Faculties, too. I am the Educator for our Orga Team with Linux Trainers. We have presentations and workshops in cooperation with openSUSE every semester. I want to forward such Open Source education everywhere in Germany.

Our IT project is a migration of our Linux Laboratory from Ubuntu to openSUSE Leap. We automate that with Salt and that all have to work with Kerberos authentication. So our Students are able to use their AD accounts and special sums have to be debited against our student cards for printing with Kerberos tickets then. We are working in cooperation with SUSE here.

I have occupied myself with different units in Bristol. I have HPC, Embedded & Real-Time Systems, Security and Sustainability. I am glad to be allowed to combine a part of my exam in Sustainability with openSUSE. I wanted to create a project plan to improve our Sustainability for my next period in the openSUSE Board. My election pledge is the switch from DVDs to USB flash drives in the marketing material.

My efforts within openSUSE is mainly an education part at our university to receive new openSUSE/ Open Source Contributors and being active as an Advocate at different conferences and expos. I have switched from Germany to the United Kingdom for this semester. This year I will return to Germany. Another role is the Global Coordinator Localization incl. German translations and the Wiki.

Going forward and joining Germany again, I want to concentrate more on the well-being of the openSUSE Community. You don‘t receive new Contributors if you don‘t have the correct climate in the community and some would be unsatisfied. I want to build that on the introduction of the Board publicity by our elected Board Members in the last year. That would improve the collaboration and respect within openSUSE.

I am much obliged to be an elected Board Member for 2 years. I appreciate receiving your votes for a second term.

Thank you in advance!






AG Open Source and our responsibilities

Last semester I founded the AG Open Source at our university. We are organizing workshops and hackathons in cooperation with open source projects/ companies. Our students should learn more about open source development and how to contribute. The difference to the Friedrich-Alexander-University and their professorship in open source development is that we want to learn the real practice by professionals.

After 3 months we had a reputation. The AG Open Source should be open for other faculties, too. EFI (electronic – fine mechanics – information technology) has been interested for our events. So students in Computer Science and Electronics are receiving basic courses in Linux and using git. In addition, we create a program which is different every semester. Last semester we had topics like security and the ownCloud hackathon. This semester our focus is on monitoring and docker.

I am the Lead of the AG Open Source. I am educating other students in the student council for different positions in the AG. We need an additional lead. So I have one student as a Junior Lead who is being taught in organization, email writing and publishing by me. Two other students want to become Linux Trainers. They  have to know all about the cooperation with other  AGs in the student council and their processes, too.

Last semester I was the Linux Trainer in all Linux workshops. One (advanced) student supported me with running through the lines and looking for different students. Other students in my semester are interested for this job this semester, too. Last week we received the request for a Linux course for advanced Linux users parallel to the Linux course for beginners. So I am teaching one student to pick up my course for beginners. Next semester we’ll use 2 rooms for this event. I’m planning the course for Advanced Linux Users.


Since this week we are responsible for a new task at our university: Linux

support for students

A EFI student stood in the door of our student council for Computer Science and said: „I’m not from this faculty, but I need Linux support by the AG Open Source. Nobody else can help me. I was in the data center. They want to support only Windows. I can’t find anybody at our faculty, too.“

The data center has reconfigured eduroam. That’s the Wifi for students and professors. We need additional entries for Linux systems and a new certificate now. I configured his Wifi and I know: I have to educate Linux Supporters for our AG. On our internal homepage openSUSE and Android are listed as supported operating systems (Linux) by the data center, but our Sysadmins don’t know what to do there. All students are coming to the student council for Computer Science now, because they are receiving Linux workshops by us.

Our AG Open Source is growing, but our responsibilities are growing, too!



openSUSE release party at FrOSCon

We had a nice weekend at FrOSCon with a lot of fun. This atmosphere has gone over to our neighbours, so some Fedora Ambassadors wanted to change to openSUSE. That was the last time at the Fedora booth for them and their booth became green.

You can see here a Fedora Ambassador who wants to have openSUSE marketing material for students of the university Marburg. He has green glasses as a signal for his change. He’ll give Linux workshops with openSUSE and wants to become a openSUSE Hero.

We had many visitors the first day. Our release party took place at our booth at 5 o’clock. We were surprised about so many people. The cake was away after a quarter hour. It wasn’t enough for all interested guests. All were happy and toasted the new Leap release with the champagne.

After that we had our first tombola with a big chameleon. What for a surprise! Last year a family of LPI won 2 chameleons. This year a small LPI girl won the first one again. That shows us the partnership between LPI and openSUSE. 🙂


Sunday I went to some interesting presentations. We shared our service at the openSUSE booth. Additional to that we spoke about the OpenRheinRuhr organization, what we want to improve and how we can realize all with new German Advocates. Second day we had a second tombola. This chameleon went to invis server.

Debian and Ubuntu didn’t have any booth. Some Debian users asked us for Debian Contributors. I sent them to Open Office. After this visit they came back and talked with us about openSUSE and what is new. They were really interested.

That was a successful weekend for openSUSE with a lot of fun. Thanks for all the sponsoring at FrOSCon!

openSUSE at Chemnitzer LinuxTage 2017

I went to Chemnitzer LinuxTage last weekend. That was a successful open source event.

openSUSE has got a lot of positive feedback. Some people changed from Ubuntu to openSUSE Tumbleweed and are happy.

There was some misunderstanding with the new release development of openSUSE Leap. Some people thought that would be a second rolling release by openSUSE. After explaining that we want to do that only in the development phase for achieving a more stable operating system and we will have a release day every year again, these cusomers have been happy again and like this idea. More stability is a good reason. 🙂

invis server had his meeting about their new project openSUSE SMB. One openSUSE customer was interested for this project and I brought him to Stefan. Some booth visitors want to visit our next oSC in Nuremberg.

We had more customers than in the year before. Somtimes guys asked how to change to us and to contribute. Linux beginners wanted to have live CDs. We burned flash drives with Tumbleweed live images for them.

Sunday we had a raffle at our booth. The award was a big chameleon. You can see the winner on the picture.At the end I took part of the raffle by Thomas Krenn AG. 🙂

They produce server hardware and storage. Their first award was a low energy server which I won. That‘ s ideal for students like me. The best thing is that this server hardware is supported by openSUSE.

Chemnitzer LinuxTage was a fantasic open source event like every year. Thanks for the sponsoring!

tcpdump of a docker container

You create docker containers and many tools are missing. As an example: tcpdump

So I was looking for a solution for sniffing the traffic from outside of the container. It is recommended to setup an additional (tcpdump) container and to use it with following network connection:

docker pull adamoss/docker-tcpdump

docker run -ti –net=container:${id} adamoss/tcpdump port https or port http


You can specify different ports and save the data in a file. The id is the name of the container and the „–net=container:“ is saying that you want to have input/output traffic of the docker container like the command would be executed on the same system.

Running for the openSUSE Board

Hi! I‘m Sarah Julia Kriesch, 29 years old, educated as a Computer Science Expert for System Integration, and currently studying Computer Science at the TH Nürnberg.


Introduction and Biography

I am a Student at the TH Nürnberg, Student Officer for Computer Science (Fachschaft Informatik) and a Working Student (Admin/ DevOps) at ownCloud. I changed from working life to student life this year. I have received the scholarship „Aufstiegsstipendium“ (translated „upgrading scholarship“) for students with work experience by the BMBF.

I have got 4 years of work experience as a Linux System Administrator in the Core System Administration (Monitoring) at 1&1 Internet AG/ United Internet and as a (Managing) Linux Systems Engineer for MRM Systems (SaaS) at BrandMaker. MRM Systems are systems for project management in marketing (Marketing Ressource Management Systems).

I used SLES/ openSUSE during my German education of information technology for the first time in 2009. In the company I learned installations with YaST. I wanted to know more, which was the reason for going to conferences and expos. I tried to educate myself (with community support and vocational school) until the end of my 2nd year. oSC11 was the time stamp for meeting the openSUSE Community.  Marco Michna wanted to become my Mentor in System Administration and gave me private lessons until his death. I got a scholarship for further education (a free Linux training) by Heinlein. Both were a good base for starting in the job after the vocational training act.

I wasn‘t allowed to contribute to openSUSE during my last year of education, because my education company didn‘t want to see that. They filtered Google after all contributions in forums and communities. That‘s the reason why I am using the anonymous nick name „AdaLovelace“ at openSUSE. I had to wait for joining openSUSE again until my first job where I worked together with Contributors/ Members of Debian, FreeBSD and Fedora.

I started with German translations at openSUSE with half a year of work experience. Most of you know me from oSCs (since 2011). I was Member of the Video Team, the Registration Desk and contributed as a Speaker. Since 2013 I am wiki maintainer in the German wiki and admin there. Since 2014 I am an active Advocate in Germany. I give yearly presentations, organize booths and take part in different Open Source Events. As a GUUG Member (German Unix User Group) I asked for a sponsorship for oSC16. I hold my first (English) presentation about performance monitoring there then.

This year I have joined the Heroes Team and the Release Management Team. I founded the Heroes Team with my friends during the oSC16 because of the spam in the wiki. I became the Coordinator for this project. I am Translation Coordinator now, too. I was responsible for the documentation of openSUSE Leap 42.2. So I wrote a lot in the English wiki this year. I was interviewed (as an Advocate) by the Hacker Public Radio at the FOSDEM 2016.

Some of you know me from different mailing lists. That‘s the best way to reach me.

I love openSUSE and pick up tasks, if I see something to do where I can help with my Sysadmin/ Coordination/ Documentation/ BPM skills. Free periods ( Monday & Tuesday) are reserved for openSUSE Contributions. If somebody asks me for technical help (unimportant whether programming, infrastructure or communication), I‘ll try to find a solution.  I learned to work agile (Scrumban in System Administration) which I want to transfer to my teams in open source projects.

Issues I can see

I want to improve the cooperation between openSUSE and universities/ TH Nürnberg as the founder of the Open Source AG there.

openSUSE should be one of the main distributions on AWS (main AMI).

The openSUSE Infrastructure should be easier to achieve for openSUSE admins, so that we can react on escalations very fast.

Role of the Board

My goal is to have happy customers and developers. That‘s what I want to achieve as an Advocate and (perhaps) as a Board Member in the future.

We should live freedom in the community. Everybody should do what he likes. I don‘t like bossing. But I want to help in leadership with coordination and solutions where needed.

Why you should vote me

  •  I am a geek(o).
  •  I like new technologies and learning.
  •  I know most important people in the community.
  •  I learned coordination in my first job, which I can use as a Board Member, too.
  •  I am educated by communities.
  •  I have got an education in information technology.
  •  I contribute to different parts of the project (technical and non-technical).
  •  I have got a big open source network (openSUSE, ownCloud, GUUG, …).
  •  I have got international work experience.
  •  I love openSUSE.


Aims/ Goals

We should improve openSUSE and hold the position of being one of the best Linux distributions.

I want to be open for cooperation with other Linux/ open source projects.

openSUSE on ownCloud

It is Christmas time and I have got cookie cutters by openSUSE and ownCloud. What can you create as a happy Working Student at ownCloud and an openSUSE Contributor?

Normally you deploy ownCloud on openSUSE. But do you know the idiom „to be in seventh heaven“ (auf Wolke 7 schweben)?

I want to  show you openSUSE Leap 42.2 on ownCloud 9.


opensuse Leap 42.2 on owncloud 9
opensuse Leap 42.2 on ownCloud 9

9.1 is the latest release, and 7 not up to date and insecure for the openSUSE chameleon. The second reason is that the chameleon has got a perfect place on the cloud.

You can watch the success in both projects!

I wish you all a merry christmas and a lot of fun with your cookie cutters!

OpenRheinRuhr 2016

openSUSE took part of the OpenRheinRuhr like every year. This year we were sponsor and I was the organisator of that and the booth. Additional to that I gave a presentation about the new release of openSUSE Leap 42.2. It was full and many people were interested for the news in the community. I do that yearly and openSUSE talks are standard there since 3 years. Many people are saying that I am not allowed to be missed as a Speaker. The second standard speaker of openSUSE is Axel. His talk was about SUSE Studio and GNU Health this year. We represent openSUSE with our talks at the OpenRheinRuhr.

img_0128At first all Contributors got their T-Shirts and the table should be full with marketing material. Christian and Simon were looking for our Customers during my presentation. All people laughed afer hearing I would be a Working Student at ownCloud now and we want to have a cooperation booth (openSUSE / ownCloud) next year, because I want to continue with oganizing. The question with 32 bit support popped up again and the audience was happy that we have got Tumbleweed for that. openSUSE in the Linux ranking and our plans were questions, too. Top Linux Speakers (from Germany) were in the audience. They are my new focus for marketing, because they can represent openSUSE during their presentations and are really enthusiastic.

After lunch Simon asked me whether he can go to talks. I said: „Of course! You are an Advocate and should learn here, too. There aren’t better options than talks during such events for getting qualified people for the booth. I know why I look after enough people for a booth (more than 2) during conferences and expos.“ Simon smiled, told us the times and used it for learning in 2 talks.

We have got new interested volunteers for openSUSE. One guy wants to join the heroes team and a woman wants to become an Advocate. Other distributions want to cooperate, too. Gentoo created pins with our logo for our fans. And fsfe came to us with their cloud stickers and shown us the normed SUSE cloud on their stickers. All were happy. We had a lot of fun!


We had a conference party in the evening. We had so many sponsors that we were allowed to get free beer (for all) and grillables (for Contributors). Thanks to all sponsors! It was a nice evening.

The ZDF (Zweites Deutsches Fernsehen) was available at the second day. They went through the hall with their camera. Self filming (with webcam) in front of the ffmpeg booth was most interesting for them. I had to give ownCloud support and the webcam security (of openSUSE) was a highlight for customers. We were asked after our release day very often and I showed my presentation slides again and again. At the end Christian and I won books (Scrum and LibreOffice) at the tombola. The talk of Axel was successfully, too.

img_0133We enjoyed the OpenRheinRuhr and want to take part of such an Open Source event ( with a minimum of 2 talks) next year again. We know what we want to tell then, too. 😉

That was great!

openSUSE Conference 2016

June 22 until June 26 was the openSUSE Conference in Nuremberg. The location was the Z Bau. We had a lot good presentations from Security, YaST News, Release Management until Infrastructure, Monitoring and Configuration Management.

That was the first conference with  my own presentation in English. The talk was about monitoring and stress tests, something what I have done in the last years in my job. At first I was nervous. But I had many good friends around me who  took it away. 2 of them gave presentations, too. Oliver talked about USB in the kernel development and Christian made a quiz.

It was a good place and time for team discussions. Christian and I wanted to speak with the Infrastructure team about the situation with wiki servers in United States. We needed a SUSE guy from there and found Craig. After that we created a Infrastructure meeting and the openSUSE heroes team exist since this time. I am the Coordinator for a new wiki setup and openSUSE Contributors can get access to the Infrastructure. That was the highlight of the conference!

We took part of a Nuremberg tour through fermentation cellars which was really interesting. We discussed a lot and were able to see people in the community from everywhere on the world. The SUSE band played music in  the evening and we had a lot of fun!