No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Currently yes.  We blank it out in the update progress output, but it will get stored into the checkpoint if used directly as an input to a resource, and so will be visible in contexts where you see the checkpoint file.  We're considering options for a first-class notion of Secret value that can flow through a program and be encrypted even in locations it gets serialized (checkpoints or runtime functions).  See <https://github.com/pulumi/pulumi/issues/397>.

We also added this to our FAQ recently - see <https://pulumi.io/reference/faq.html#are-my-secrets-ever-visible>.

is the checkpoint stored encrypted by pulumi?

Yes - all checkpoint files are encrypted at rest in our backend storage (S3).  We will likely go further and encrypt with a per-user key on top of this in the near future. /cc also <@U87DZN4MT>.

ok that was the main question I had after reading the faqs

Makes sense - we'll add a note on that to the FAQ.

ok that helps me understand the situation much better now, thanks for your help :+1: