General question around the storage of secrets - I see secure values in config encoded as: v1:&lt;something&gt;:<something more>, and I'd like to decode one of these myself using the same azure key vault key to do so - what would be the process here? (this is for unit testing). My ideal situation would be that I can feed this string into azure key vault and decrypt; but I don't know the encryption settings - which algo, and do I need to split this string up and/or base64 decode it?

So only the master key goes through azure key vault. All the config values are encrypted via AES256 using that master key.

do you mind pointing me in the direction I would need to ask for that - I'm happy to raise an issue for this. I would also like to ask if you are able to explain how I might go about pulling the v1:&lt;something&gt;:<else> apart in order to decrypt, or perhaps easier is just pointing me at the encryption provider ?

https://github.com/pulumi/pulumi/issues for the new issue. In terms of the secret format it's,

v1:<nonce>:<AES256GCGM encrypted data>

there aren't really docs for this, its supposed to be an internal detail but the code for it is at https://github.com/pulumi/pulumi/blob/master/sdk/go/common/resource/config/crypt.go#L175

thanks - and hopefully last q, can you point me in the direction of the secrets provider code? I'm failing to decode the encryptedkey value from pulumi config (assuming this is the master key that I'll need when using Aes256)

Ah sorry was a long weekend. The secrets provider code in pulumi is mostly in https://github.com/pulumi/pulumi/tree/master/pkg/secrets.