-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why no rsaencrypt
or keybase encrypt
?
#31045
Comments
Hi @gtmtech, thanks for the feature request! There is an on-going conversation about creating some mechanism to define "function providers," and cryptographic functions are one of the obvious candidates for external (not built-in) functions. For a bit more info, please see: #28855 (comment), specifically:
There is also some conversation around this in #28209, in terms of examples of functions we think would be reasonable to be built-in functions. I don't have any specific updates to share on this discussion, and will leave this ticket open to revisit in the future when we have gotten further in discussion and/or development of external functions. |
For the keybase portion in particular, it should be possible in principle to write a provider wrapping the Keybase API to perform this functionality. It looks like the model of the Keybase API is that the client retrieves the key from the API and does the actual encryption operation locally, so I expect this would end up being a more involved Terraform provider than most in that it won't just be a thin wrapper around the remote API, but the Keybase Go library seems to encapsulate the client-side functionality needed to perform encryption and signing operations. So far, aside from some early mistakes like the Since Terraform already has an open ecosystem of providers, I'd suggest pursuing the development of a provider if you need this functionality today. As @crw mentioned, we are also considering allowing providers to contribute normal functions in future too, but the Terraform language design requires functions to behave as pure functions and so a random-salt-based encryption operation would not be suitable for implementation as a function. |
Current Terraform Version
Latest
Use-cases
I am using a resource which produces a secret. I want to handle this secret in a sensitive way, therefore I want to output it in an encrypted form.
For example:
I realise that because its unencrypted in the resource attributes, it will be unencrypted in the statefile. I understand the things that sensitive and nonsensitive give you. However these just obscure data, and what I want is to take an output and safely communicate it to someone who has the private key to decrypt it.
I notice there is an
rsadecrypt
but no correspondingrsaencrypt
which would be ideal. Or what would be even better, is to use keybase or gpg to encrypt via a publicly available public_key so that only the user with the private key can decrypt the output. Much like the wayaws_keypair
works.However, I want that feature for any arbitrary output, even if its source comes from a non-encrypted source.
Attempted Solutions
None as yet
Proposal
Implement equivalant of keybase encrypt or gpg encrypt on arbitrary strings, as a function - that can be used by the user anyway they wish.
The text was updated successfully, but these errors were encountered: