https://pulumi.com logo
#getting-started
Title
# getting-started
b

bulky-receptionist-64562

03/13/2024, 9:32 AM
Hi, I'm researching Pulumi cloud and I'm wondering about the security aspect. If i understand the docs correctly when i create an azure keyvault secret the pulumi state will contain that secret value, that value can be encrypted with the built in pulumi cloud encryption or with an external key provider like a separate azure keyvault key not managed by pulumi. My question is if I use an external key provider then pulumi cloud will never have access to the secret value as the actual encryption/decryption process happens in Pulumi CLI on my hardware?
a

adventurous-butcher-54166

03/13/2024, 9:55 AM
My assumption has been that Pulumi Cloud will store the encrypted secret in the state but the decryption key will be stored in your encryption backend and decryption process only happens locally.
b

bulky-receptionist-64562

03/13/2024, 10:11 AM
This is also my assumption but i want to verify it