Is your feature request related to a problem? Please describe.

We have customers that are required to encrypt SSL keys and other secrets at rest. Currently key is a plaintext file.

Other Web servers implement this in a number of ways:

1. NGINX supports an ssl_password_file (https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/). The file can contain multiple passwords separated by newlines, and NGINX attempts to decrypt the SSL private key with each passphrase in the file.
2. Apache supports the ability to execute a script via the SSLPassPhraseDialog option (https://www.oreilly.com/library/view/apache-the-definitive/0596002033/re177.html). This script prints the password to stdout.

Describe the solution you'd like

The first solution would suffice, though the second seems more elegant. https://www.nginx.com/blog/protecting-ssl-private-keys-nginx-hashicorp-vault/ demonstrates how you could use a background process to populate a FIFO special file.

If key is specified, it seems that OpenSSL is passed the file here:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_PrivateKey_file.html says:

The private keys loaded from file can be encrypted. In order to successfully load encrypted keys, a function returning the passphrase must have been supplied, see SSL_CTX_set_default_passwd_cb(3). (Certificate files might be encrypted as well from the technical point of view, it however does not make sense as the data in the certificate is considered public anyway.)

Perhaps we can do this:

1. We add a ssl_key_decrypt_command parameter.
2. If this is set, set the callback that executes this script, reads the stdout, and returns the value.