https://pulumi.com
Join Slack
This message was deleted.
# general
s
This message was deleted.
w
Currently yes. We blank it out in the update progress output, but it will get stored into the checkpoint if used directly as an input to a resource, and so will be visible in contexts where you see the checkpoint file. We're considering options for a first-class notion of Secret value that can flow through a program and be encrypted even in locations it gets serialized (checkpoints or runtime functions). See https://github.com/pulumi/pulumi/issues/397. We also added this to our FAQ recently - see https://pulumi.io/reference/faq.html#are-my-secrets-ever-visible.
i
is the checkpoint stored encrypted by pulumi?
w
Yes - all checkpoint files are encrypted at rest in our backend storage (S3). We will likely go further and encrypt with a per-user key on top of this in the near future. /cc also @bitter-oil-46081.
i
ok that was the main question I had after reading the faqs
w
Makes sense - we'll add a note on that to the FAQ.
i
ok that helps me understand the situation much better now, thanks for your help 👍
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by