Hi, I'm researching Pulumi cloud and I'm wondering...
# getting-started
Hi, I'm researching Pulumi cloud and I'm wondering about the security aspect. If i understand the docs correctly when i create an azure keyvault secret the pulumi state will contain that secret value, that value can be encrypted with the built in pulumi cloud encryption or with an external key provider like a separate azure keyvault key not managed by pulumi. My question is if I use an external key provider then pulumi cloud will never have access to the secret value as the actual encryption/decryption process happens in Pulumi CLI on my hardware?
My assumption has been that Pulumi Cloud will store the encrypted secret in the state but the decryption key will be stored in your encryption backend and decryption process only happens locally.
This is also my assumption but i want to verify it