Hello all. Is there a way to produce an encrypted private key with the

pulumi_tls

package? Something similar to when using

openssl req -new -newkey rsa:2048 -sha256 -keyout >(cat -) -passout "pass:${password}" -subj "/"

.

what’s the use case for this? doesn’t pulumi already encrypt the outputs of https://www.pulumi.com/registry/packages/tls/api-docs/privatekey/?

Hello @ancient-car-89914. The output is more generally encrypted for the sake of obfuscation when using the outputs. The use-case here is a cert-manager controller that uses the key as a registration authority, and by design is using an encrypted RSA key protected by a passphrase. This would be a resource such as

PrivateKey

with an additional argument of

passphrase

is what I would expect, but that does not seem to be implemented.