No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi, I'm researching Pulumi cloud and I'm wondering about the security aspect.
If i understand the docs correctly when i create an azure keyvault secret the pulumi state will contain that secret value, that value can be encrypted with the built in pulumi cloud encryption or with an external key provider like a separate azure keyvault key not managed by pulumi.
My question is if I use an external key provider then pulumi cloud will never have access to the secret value as the actual encryption/decryption process happens in Pulumi CLI on my hardware?

My assumption has been that Pulumi Cloud will store the encrypted secret in the state but the decryption key will be stored in your encryption backend and decryption process only happens locally.

This is also my assumption but i want to verify it