https://pulumi.com logo
Title
i

important-jackal-88836

07/03/2018, 10:43 PM
if i use a secret config as an input does it end up unencrypted in my checkpoint?
w

white-balloon-205

07/03/2018, 11:04 PM
Currently yes. We blank it out in the update progress output, but it will get stored into the checkpoint if used directly as an input to a resource, and so will be visible in contexts where you see the checkpoint file. We're considering options for a first-class notion of Secret value that can flow through a program and be encrypted even in locations it gets serialized (checkpoints or runtime functions). See https://github.com/pulumi/pulumi/issues/397. We also added this to our FAQ recently - see https://pulumi.io/reference/faq.html#are-my-secrets-ever-visible.
i

important-jackal-88836

07/03/2018, 11:10 PM
is the checkpoint stored encrypted by pulumi?
w

white-balloon-205

07/03/2018, 11:13 PM
Yes - all checkpoint files are encrypted at rest in our backend storage (S3). We will likely go further and encrypt with a per-user key on top of this in the near future. /cc also @bitter-oil-46081.
i

important-jackal-88836

07/03/2018, 11:16 PM
ok that was the main question I had after reading the faqs
w

white-balloon-205

07/03/2018, 11:16 PM
Makes sense - we'll add a note on that to the FAQ.
i

important-jackal-88836

07/03/2018, 11:24 PM
ok that helps me understand the situation much better now, thanks for your help 👍