community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access
Note
This module is part of the community.crypto collection (version 2.22.0).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.crypto
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_privatekey_pipe
.
New in community.crypto 1.3.0
Synopsis
Keys are generated in PEM format.
Make sure to not write the result of this module into logs or to the console, as it contains private key data! Use the
no_log
task option to be sure.Note that this module is implemented as an action plugin and will always be executed on the controller.
This allows to read and write keys to vaults without having to write intermediate versions to disk.
This module allows one to (re)generate OpenSSL private keys without disk access.
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
cryptography >= 1.2.3 (older versions might work as well)
Parameters
Parameter |
Comments |
---|---|
The cipher to encrypt the private key. This is only used when Must be Default: |
|
The current private key data. Needed for idempotency. If not provided, the module will always return a change, and all idempotence-related options are ignored. |
|
Set to Choices:
|
|
Note that not all curves are supported by all versions of For maximal interoperability, We use the curve names as defined in the IANA registry for TLS. Please note that all curves except Choices:
|
|
Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format) is used for all keys which support it. Please note that not every key can be exported in any format. The value Note that if the format for an existing private key mismatches, the key is regenerated by default. To change this behavior, use the Choices:
|
|
Determines behavior of the module if the format of a private key does not match the expected format, but all other parameters are as expected. If set to If set to Only supported by the Choices:
|
|
The passphrase for the private key. |
|
Allows to configure in which situations the module is allowed to regenerate private keys. The module will always generate a new key if the destination file does not exist. By default, the key will be regenerated when it does not match the module’s options, except when the key cannot be read or the passphrase does not match. Please note that this changed for Ansible 2.10. For Ansible 2.9, the behavior was as if If set to If set to If set to If set to If set to Note that if Choices:
|
|
Set to Note that in case of check mode, when this option is not set to Choices:
|
|
Determines which crypto backend to use. The default choice is If set to Choices:
|
|
Size (in bits) of the TLS/SSL key to generate. Default: |
|
The algorithm used to generate the TLS/SSL private key. Note that Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller. |
|
Support: none This action runs completely on the controller. |
Supports being used with the |
|
Support: full Currently in check mode, private keys will not be (re-)generated, only the changed status is set. This will change in community.crypto 3.0.0. From community.crypto 3.0.0 on, the module will ignore check mode and always behave as if check mode is not active. If you think this breaks your use-case of this module, please create an issue in the community.crypto repository. |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
See Also
See also
- community.crypto.openssl_privatekey
Generate OpenSSL private keys.
- community.crypto.openssl_privatekey_info
Provide information for OpenSSL private keys.
- community.crypto.x509_certificate
Generate and/or check OpenSSL certificates.
- community.crypto.x509_certificate_pipe
Generate and/or check OpenSSL certificates.
- community.crypto.openssl_csr
Generate OpenSSL Certificate Signing Request (CSR).
- community.crypto.openssl_csr_pipe
Generate OpenSSL Certificate Signing Request (CSR).
- community.crypto.openssl_dhparam
Generate OpenSSL Diffie-Hellman Parameters.
- community.crypto.openssl_pkcs12
Generate OpenSSL PKCS#12 archive.
- community.crypto.openssl_publickey
Generate an OpenSSL public key from its private key.
Examples
- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
community.crypto.openssl_privatekey_pipe:
register: output
no_log: true # make sure that private key data is not accidentally revealed in logs!
- name: Show generated key
ansible.builtin.debug:
msg: "{{ output.privatekey }}"
# DO NOT OUTPUT KEY MATERIAL TO CONSOLE OR LOGS IN PRODUCTION!
- name: Generate or update a Mozilla sops encrypted key
block:
- name: Update sops-encrypted key with the community.sops collection
community.crypto.openssl_privatekey_pipe:
content: "{{ lookup('community.sops.sops', 'private_key.pem.sops') }}"
size: 2048
register: output
no_log: true # make sure that private key data is not accidentally revealed in logs!
- name: Update encrypted key when openssl_privatekey_pipe reported a change
community.sops.sops_encrypt:
path: private_key.pem.sops
content_text: "{{ output.privatekey }}"
when: output is changed
always:
- name: Make sure that output (which contains the private key) is overwritten
ansible.builtin.set_fact:
output: ''
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Elliptic curve used to generate the TLS/SSL private key. Returned: changed or success, and Sample: |
|
The fingerprint of the public key. Fingerprint will be generated for each Returned: changed or success Sample: |
|
The generated private key’s content. Please note that if the result is not changed, the current private key will only be returned if the Will be Base64-encoded if the key is in raw format. Returned: changed, or |
|
Size (in bits) of the TLS/SSL private key. Returned: changed or success Sample: |
|
Algorithm used to generate the TLS/SSL private key. Returned: changed or success Sample: |