This message was deleted.
# general
s
This message was deleted.
e
So only the master key goes through azure key vault. All the config values are encrypted via AES256 using that master key.
I don't think there's a good interface into the engine to get it to do this decryption ad-hoc
Probably worth an issue to github to ask for an interface
👍 1
d
do you mind pointing me in the direction I would need to ask for that - I'm happy to raise an issue for this. I would also like to ask if you are able to explain how I might go about pulling the v1&lt;something&gt;<else> apart in order to decrypt, or perhaps easier is just pointing me at the encryption provider ?
e
https://github.com/pulumi/pulumi/issues for the new issue. In terms of the secret format it's,
v1:<nonce>:<AES256GCGM encrypted data>
there aren't really docs for this, its supposed to be an internal detail but the code for it is at https://github.com/pulumi/pulumi/blob/master/sdk/go/common/resource/config/crypt.go#L175
d
thanks - and hopefully last q, can you point me in the direction of the secrets provider code? I'm failing to decode the encryptedkey value from pulumi config (assuming this is the master key that I'll need when using Aes256)
My attempt at articulation of said request: https://github.com/pulumi/pulumi/issues/10511
e
Ah sorry was a long weekend. The secrets provider code in pulumi is mostly in https://github.com/pulumi/pulumi/tree/master/pkg/secrets.