LinuxCommandLibrary

salt-key

Manage Salt minion authentication keys

TLDR

List all keys (accepted, pending, and rejected)

$ salt-key -L
copy
Accept a specific minion key
$ salt-key -a [minion_id]
copy
Accept all pending keys
$ salt-key -A
copy
Reject a specific minion key
$ salt-key -r [minion_id]
copy
Delete a specific minion key
$ salt-key -d [minion_id]
copy
Print the fingerprint of a specific key
$ salt-key -f [minion_id]
copy
Print fingerprints of all keys
$ salt-key -F
copy

SYNOPSIS

salt-key [options]

DESCRIPTION

salt-key manages Salt minion public keys on a Salt master server. In SaltStack's architecture, minions use public-key cryptography to authenticate with the master. When a minion first connects, it sends its public key to the master, which must be explicitly accepted before communication can occur.
Keys exist in three states: unaccepted (pending), accepted, or rejected. The salt-key command allows administrators to list, accept, reject, and delete keys. Fingerprint verification enables secure identification of minions before accepting their keys.

PARAMETERS

-L, --list-all

List all accepted, pending, and rejected minion keys
-l ARG, --list=ARG
List keys: pre/un/unaccepted, acc/accepted, rej/rejected, or all
-a KEYID, **--accept**=KEYID
Accept the specified minion key
-A, --accept-all
Accept all pending minion keys
-r KEYID, **--reject**=KEYID
Reject the specified minion key
-R, --reject-all
Reject all pending minion keys
-d KEYID, **--delete**=KEYID
Delete the specified minion key
-D, --delete-all
Delete all keys
-f KEYID, **--finger**=KEYID
Print the fingerprint of the specified key
-F, --finger-all
Print fingerprints of all keys
-y, --yes
Answer yes to all questions (use with caution)
-c DIR, --config-dir=DIR
Specify Salt configuration directory (default: /etc/salt)
--gen-keys=NAME
Generate a keypair with the specified name
--gen-keys-dir=DIR
Directory to save generated keypair
--keysize=SIZE
Key size for generated keys (minimum 2048)

CONFIGURATION

/etc/salt/pki/master/

Directory containing accepted, pending, and rejected minion public keys managed by salt-key.
/etc/salt/master
Master configuration file where key acceptance policies and auto-sign settings are defined.

CAVEATS

Always verify minion identity before accepting keys by comparing fingerprints. Deleting keys is permanent and prevents the minion from connecting until its key is regenerated. The -y flag bypasses confirmation prompts and should be used cautiously, especially with -A, -D, or -R. Requires root privileges or appropriate permissions on /etc/salt/pki/master/.

HISTORY

salt-key is part of SaltStack (now Salt Project), an open-source configuration management and remote execution tool created by Thomas Hatch in 2011. The key management system provides the security foundation for Salt's master-minion architecture.

SEE ALSO

salt(1), salt-master(8), salt-minion(8), salt-call(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community