No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hello all. Is there a way to produce an encrypted private key with the `pulumi_tls` package? Something similar to when using `openssl req -new -newkey rsa:2048 -sha256 -keyout &gt;(cat -) -passout "pass:${password}" -subj "/"`.

what’s the use case for this? doesn’t pulumi already encrypt the outputs of <https://www.pulumi.com/registry/packages/tls/api-docs/privatekey/>?

Hello <@U03GWP93ZD1>. The output is more generally encrypted for the sake of obfuscation when using the outputs. The use-case here is a cert-manager controller that uses the key as a registration authority, and by design is using an encrypted RSA key protected by a passphrase. This would be a resource such as `PrivateKey` with an additional argument of `passphrase` is what I would expect, but that does not seem to be implemented.

This means the controller is expecting the Certificate PEM, encrypted RSA key PEM, and passphrase for decrypting the RSA.