This is a short how-to for securing Saltstack communication via spiped.
(most of it is based on the how-to I wrote on securing Elasticsearch with spiped)

At first: install spiped

FreeBSD

pkg install spiped

Debian/Ubuntu

apt install spiped

CentOS (fo those who haven’t migrated yet)

vim /etc/yum.repos.d/spiped.repo
[lsde-spiped]
name=spiped repo
baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

install spiped

yum clean all
yum install spiped

generate symmetric encryption key

dd if=/dev/urandom of=/root/saltpipe.key bs=32 count=1

and copy the key file onto every client

run spiped on Salt MASTER

Spiped will listen on port 14505/14506 and forward traffic to 4505/4506 (TCP forwarding must be enabled)

spiped -d -s '[0.0.0.0]:14505' -t '[127.0.0.1]:4505' -k /root/saltpipe.key
spiped -d -s '[0.0.0.0]:14506' -t '[127.0.0.1]:4506' -k /root/saltpipe.key

run spiped on Salt MINION

Spiped will listen on port 4505/4506 and forward to the Salt master on ports 14505/14506

spiped -e -s '[127.0.0.1]:4505' -t 192.168.0.10:14505 -k /root/saltpipe.key
spiped -e -s '[127.0.0.1]:4506' -t 192.168.0.10:14506 -k /root/saltpipe.key

Now automate that by adding it to systemd:

on Salt MASTER

vim /etc/systemd/system/spiped-4505.service 

(don’t forget -F)

[Unit]
Description=spiped receive Saltstack 4505
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -d -s [0.0.0.0]:14505 -t 127.0.0.1:4505 -k /root/saltpipe.key

[Install]
WantedBy=multi-user.target
vim /etc/systemd/system/spiped-4505.service
[Unit]
Description=spiped receive Saltstack 4506
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -d -s [0.0.0.0]:14506 -t 127.0.0.1:4506 -k /root/saltpipe.key

[Install]
WantedBy=multi-user.target
vim /etc/salt/master
interface: 127.0.0.1

and enable/start all services

systemctl enable spiped-4505
systemctl enable spiped-4506
systemctl start spiped-4505
systemctl start spiped-4506
systemctl restart salt-master

If you’re running FreeBSD you can simply add the startup commands to /etc/rc.conf and run

sysrc spiped_enable=YES
service spiped start
vim /etc/rc.conf
spiped_pipes="publish returner"  
spiped_pipe_publish_mode="decrypt" #use client on minion  
piped_pipe_publish_source="[0.0.0.0]:14505"  
spiped_pipe_publish_target="127.0.0.1:4505"  
spiped_pipe_publish_key="/root/saltpipe.key" #or any key you created

spiped_pipe_returner_mode="decrypt" #use client on minion  
spiped_pipe_returner_source="[0.0.0.0]:4446"  
spiped_pipe_returner_target="10.0.0.1:4506"  
spiped_pipe_returner_key="/root/saltpipe.key" #or any key you created

on Salt MINION

vim /etc/systemd/system/spiped-4505.service 

(don’t forget -F)

[Unit]
Description=spiped transmitter Saltstack 4505
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -e -s [0.0.0.0]:4505 -t 192.168.0.10:14505 -k /root/espiped.key

[Install]
WantedBy=multi-user.target
vim /etc/systemd/system/spiped-4506.service
[Unit]
Description=spiped transmitter Saltstack 4506
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -e -s [0.0.0.0]:4506 -t 192.168.0.10:14506 -k /root/espiped.key

[Install]
WantedBy=multi-user.target
vim /etc/salt/minion
master: localhost

and enable/start all services

    systemctl enable spiped-4505
    systemctl enable spiped-4506
    systemctl start spiped-4505
    systemctl start spiped-4506
    systemctl restart salt-minion

Dont’t forget to setup your firewalls accordingly!