diff --git a/lib/ansible/modules/network/aruba/aruba_config.py b/lib/ansible/modules/network/aruba/aruba_config.py
index 21ad536ba05..f1d7123dcc7 100644
--- a/lib/ansible/modules/network/aruba/aruba_config.py
+++ b/lib/ansible/modules/network/aruba/aruba_config.py
@@ -125,10 +125,12 @@ options:
         will only be copied to the startup-config if it has changed since
         the last save to startup-config.  If the argument is set to
         I(never), the running-config will never be copied to the
-        startup-config
+        startup-config.  If the argument is set to I(changed), then the running-config
+        will only be copied to the startup-config if the task has made a change.
     required: false
     default: never
-    choices: ['always', 'never', 'modified']
+    choices: ['always', 'never', 'modified', 'changed']
+    version_added: "2.5"
   diff_against:
     description:
       - When using the C(ansible-playbook --diff) command line argument
@@ -160,6 +162,15 @@ options:
         argument, the task should also modify the C(diff_against) value and
         set it to I(intended).
     required: false
+  encrypt:
+    description:
+      - This allows an Aruba controller's passwords and keys to be displayed in plain
+        text when set to I(false) or encrypted when set to I(true).
+        If set to I(false), the setting will re-encrypt at the end of the module run.
+        Backups are still encrypted even when set to I(false).
+    required: false
+    default: true
+    version_added: "2.5"
 """
 
 EXAMPLES = """
@@ -266,10 +277,12 @@ def main():
 
         backup=dict(type='bool', default=False),
 
-        save_when=dict(choices=['always', 'never', 'modified'], default='never'),
+        save_when=dict(choices=['always', 'never', 'modified', 'changed'], default='never'),
 
         diff_against=dict(choices=['running', 'startup', 'intended']),
         diff_ignore_lines=dict(type='list'),
+
+        encrypt=dict(type='bool', default=True),
     )
 
     argument_spec.update(aruba_argument_spec)
@@ -298,6 +311,9 @@ def main():
         if module.params['backup']:
             result['__backup__'] = contents
 
+    if not module.params['encrypt']:
+        run_commands(module, 'encrypt disable')
+
     if any((module.params['src'], module.params['lines'])):
         match = module.params['match']
         replace = module.params['replace']
@@ -343,6 +359,9 @@ def main():
 
         if running_config.sha1 != startup_config.sha1:
             save_config(module, result)
+    elif module.params['save_when'] == 'changed':
+        if result['changed']:
+            save_config(module, result)
 
     if module._diff:
         if not running_config:
@@ -380,6 +399,9 @@ def main():
                     'diff': {'before': str(base_config), 'after': str(running_config)}
                 })
 
+    # make sure 'encrypt enable' is applied if it was ever disabled
+    if not module.params['encrypt']:
+        run_commands(module, 'encrypt enable')
     module.exit_json(**result)
 
 
diff --git a/test/units/modules/network/aruba/test_aruba_config.py b/test/units/modules/network/aruba/test_aruba_config.py
index dac49f78b02..34f36881f77 100644
--- a/test/units/modules/network/aruba/test_aruba_config.py
+++ b/test/units/modules/network/aruba/test_aruba_config.py
@@ -68,7 +68,7 @@ class TestArubaConfigModule(TestArubaModule):
         result = self.execute_module()
         self.assertIn('__backup__', result)
 
-    def test_aruba_config_save(self):
+    def test_aruba_config_save_always(self):
         self.run_commands.return_value = "Hostname foo"
         set_module_args(dict(save_when='always'))
         self.execute_module(changed=True)
@@ -78,6 +78,30 @@ class TestArubaConfigModule(TestArubaModule):
         args = self.run_commands.call_args[0][1]
         self.assertIn('copy running-config startup-config', args)
 
+    def test_aruba_config_save_changed_true(self):
+        src = load_fixture('aruba_config_src.cfg')
+        set_module_args(dict(src=src, save_when='changed'))
+        commands = ['hostname foo', 'interface GigabitEthernet0/0',
+                    'no ip address']
+        self.execute_module(changed=True, commands=commands)
+        # src = load_fixture('aruba_config_src.cfg')
+
+        # set_module_args(dict(save_when='changed'))
+        # commands = ['hostname changed']
+        # self.execute_module(changed=False, commands=commands)
+        self.assertEqual(self.run_commands.call_count, 1)
+        self.assertEqual(self.get_config.call_count, 1)
+        self.assertEqual(self.load_config.call_count, 1)
+        args = self.run_commands.call_args[0][1]
+        self.assertIn('copy running-config startup-config', args)
+
+    def test_aruba_config_save_changed_false(self):
+        set_module_args(dict(save_when='changed'))
+        self.execute_module(changed=False)
+        self.assertEqual(self.run_commands.call_count, 0)
+        self.assertEqual(self.get_config.call_count, 0)
+        self.assertEqual(self.load_config.call_count, 0)
+
     def test_aruba_config_lines_wo_parents(self):
         set_module_args(dict(lines=['hostname foo']))
         commands = ['hostname foo']
@@ -144,3 +168,11 @@ class TestArubaConfigModule(TestArubaModule):
         set_module_args(dict(lines=lines, parents=parents, match='exact'))
         commands = parents + lines
         self.execute_module(changed=True, commands=commands, sort=False)
+
+    def test_aruba_encrypt_false(self):
+        set_module_args(dict(encrypt=False))
+        self.execute_module()
+        self.assertEqual(self.run_commands.call_count, 2)
+        args = self.run_commands.call_args_list
+        self.assertIn('encrypt disable', args[0][0])
+        self.assertIn('encrypt enable', args[1][0])