---
layout: "tls"
page_title: "TLS: tls_private_key"
sidebar_current: "docs-tls-resourse-private-key"
description: |-
  Creates a PEM-encoded private key.
---

# tls\_private\_key

Generates a secure private key and encodes it as PEM. This resource is
primarily intended for easily bootstrapping throwaway development
environments.

~> **Important Security Notice** The private key generated by this resource will
be stored *unencrypted* in your Terraform state file. **Use of this resource
for production deployments is *not* recommended**. Instead, generate
a private key file outside of Terraform and distribute it securely
to the system where Terraform will be run.

This is a *logical resource*, so it contributes only to the current Terraform
state and does not create any external managed resources.

## Example Usage

```
resource "tls_private_key" "example" {
    algorithm = "ECDSA"
    ecdsa_curve = "P384"
}
```

## Argument Reference

The following arguments are supported:

* `algorithm` - (Required) The name of the algorithm to use for
the key. Currently-supported values are "RSA" and "ECDSA".

* `rsa_bits` - (Optional) When `algorithm` is "RSA", the size of the generated
RSA key in bits. Defaults to 2048.

* `ecdsa_curve` - (Optional) When `algorithm` is "ECDSA", the name of the elliptic
curve to use. May be any one of "P224", "P256", "P384" or "P521", with "P224" as the
default.

## Attributes Reference

The following attributes are exported:

* `algorithm` - The algorithm that was selected for the key.
* `private_key_pem` - The private key data in PEM format.

## Generating a New Key

Since a private key is a logical resource that lives only in the Terraform state,
it will persist until it is explicitly destroyed by the user.

In order to force the generation of a new key within an existing state, the
private key instance can be "tainted":

```
terraform taint tls_private_key.example
```

A new key will then be generated on the next ``terraform apply``.