I really like the approach of Passbolt to manage passwords with PGP. Passbolt also has a decent API that enables some scripting, and some basic Python packages already exist.

That made me wonder if I could use Passbolt as a password safe for Saltstack. After some research, I came up with a pretty simple Python script that renders Pillars from Passbolt groups. After installing https://github.com/netzbegruenung/passbolt-salt, you need to add the following lines to a Pillar SLS file:

def run():
    from salt_passbolt import fetch_passbolt_passwords
    # The following UUID is the UUID of a Passbolt group
    return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c") 

With that, you can access passwords in states with Jinja:

{{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}

I have to admit that addressing groups and passwords with UUIDs is not the most convenient way, but it definitely works.

Please note that the passwords are accessible to all servers that use this Pillar. Therefore create different Passbolt groups for your different servers.

Did you ever wonder how to store your most important backup password, for example for your full disk encryption? Print it to paper and store the paper in your parent’s safe? But what if that single copy gets destroyed over time and you just don’t know? And what if someone unauthorized gets his/her hands on the printout?

Then this simple script could be interesting for you. It lets you erasure code a phrase (password). You can decide into how many pieces you want to split your password, and how many pieces are needed to recover the original password.

For example, you can create 3 data and 2 parity chunks. That means, any 3 out of the 5 data chunks can recover your secret.

Please note that this has nothing to do with encryption. Basically each chunk contains a plain text part of the password/message. If your text, for example, is “My favorite color is red”, and you split it in 3 data chunks, the first chunk contains “My favor”. Also contained is the overall length of the message. This would make it pretty easy to guess the full text. Therefore, only use randomized strings. And make it a long password.

Also, the script can directly create QR codes for each chunk. That makes it easier to read the passwords back into a computer.

Now you can give the printed QR codes to trustees, and no single person can recover your password.

Update 2020-05-10: The best cryptographic solution for this problem would be Shamir’s Secret Sharing algorithm. There are lots of script that implement that.

For redundancy I am keeping the same PGP private key on multiple OpenPGP smart cards. Sadly, GnuPG does not provide a way to manage multiple smart cards for the same private key stub. Therefore, the management for the smart cards must be done manually. (This text does not cover creating multiple smart cards with the same device. Outline: I’m running the keytocard command multiple times on different smart cards.)

After importing the smart card on a device, the private key stubs are kept int the directory


To see which file belongs to which private (sub-)key, run

gpg --with-keygrip -K

Then move the files belonging to the smart card to backup locations, for example

cd ~/.gnupg/private-keys-v1.d 

Repeat this for all private keys stored on your smart card.

After that, unplug the first smart card and plug in the second smart card. Run

gpg --edit-card

Then run gpg –with-keygrip -K again and copy the newly created stub files files to new locations:

cd ~/.gnupg/private-keys-v1.d 

Now you can copy the .card1 or card2 files over the original key file and by that switch the smart card. You can write a short bash script that automatically copies the correct key file. Example:

touch ~/.gnupg/sc-toggle-status
SC=$(cat ~/.gnupg/sc-toggle-status)
if [ "$SC" == "card1" ]; then
  echo "card2" > .gnupg/sc-toggle-status
  find ~/.gnupg/private-keys-v1.d -name "*.card2" | while read f; do cp "$f" "${f%.card2}"; done
  echo "Switching to SmartCard 2"
  echo "card1" > .gnupg/sc-toggle-status
  find ~/.gnupg/private-keys-v1.d -name "*.card1" | while read f; do cp "$f" "${f%.card1}"; done
  echo "Switching to SmartCard 1"


Ein Foto pro Tag seit dem 27.6. Ich werde die Animation die nächsten Tage weiter verlängern/aktualisieren. Aufgenommen mit 1000D durch ein geliehenes 440mm Walimex, ganz dezent mit Gimp geschärft, mit Giotto zentriert und mit ImageMagic animiert.