if i use a secret config as an input does it end up unencrypted in my checkpoint?

Currently yes. We blank it out in the update progress output, but it will get stored into the checkpoint if used directly as an input to a resource, and so will be visible in contexts where you see the checkpoint file. We're considering options for a first-class notion of Secret value that can flow through a program and be encrypted even in locations it gets serialized (checkpoints or runtime functions). See https://github.com/pulumi/pulumi/issues/397. We also added this to our FAQ recently - see https://pulumi.io/reference/faq.html#are-my-secrets-ever-visible.

is the checkpoint stored encrypted by pulumi?

Yes - all checkpoint files are encrypted at rest in our backend storage (S3). We will likely go further and encrypt with a per-user key on top of this in the near future. /cc also @bitter-oil-46081.

ok that was the main question I had after reading the faqs

Makes sense - we'll add a note on that to the FAQ.

ok that helps me understand the situation much better now, thanks for your help 👍