https://pulumi.com logo
Title
d

damp-honey-93158

08/25/2022, 11:14 AM
General question around the storage of secrets - I see secure values in config encoded as: v1:&lt;something&gt;:<something more>, and I'd like to decode one of these myself using the same azure key vault key to do so - what would be the process here? (this is for unit testing). My ideal situation would be that I can feed this string into azure key vault and decrypt; but I don't know the encryption settings - which algo, and do I need to split this string up and/or base64 decode it?
e

echoing-dinner-19531

08/25/2022, 12:08 PM
So only the master key goes through azure key vault. All the config values are encrypted via AES256 using that master key.
I don't think there's a good interface into the engine to get it to do this decryption ad-hoc
Probably worth an issue to github to ask for an interface
👍 1
d

damp-honey-93158

08/25/2022, 3:48 PM
do you mind pointing me in the direction I would need to ask for that - I'm happy to raise an issue for this. I would also like to ask if you are able to explain how I might go about pulling the v1:&lt;something&gt;:<else> apart in order to decrypt, or perhaps easier is just pointing me at the encryption provider ?
e

echoing-dinner-19531

08/25/2022, 5:06 PM
https://github.com/pulumi/pulumi/issues for the new issue. In terms of the secret format it's,
v1:<nonce>:<AES256GCGM encrypted data>
there aren't really docs for this, its supposed to be an internal detail but the code for it is at https://github.com/pulumi/pulumi/blob/master/sdk/go/common/resource/config/crypt.go#L175
d

damp-honey-93158

08/26/2022, 6:49 AM
thanks - and hopefully last q, can you point me in the direction of the secrets provider code? I'm failing to decode the encryptedkey value from pulumi config (assuming this is the master key that I'll need when using Aes256)
My attempt at articulation of said request: https://github.com/pulumi/pulumi/issues/10511
e

echoing-dinner-19531

08/30/2022, 7:18 AM
Ah sorry was a long weekend. The secrets provider code in pulumi is mostly in https://github.com/pulumi/pulumi/tree/master/pkg/secrets.