This message was deleted.
# general
s
This message was deleted.
w
Currently yes. We blank it out in the update progress output, but it will get stored into the checkpoint if used directly as an input to a resource, and so will be visible in contexts where you see the checkpoint file. We're considering options for a first-class notion of Secret value that can flow through a program and be encrypted even in locations it gets serialized (checkpoints or runtime functions). See https://github.com/pulumi/pulumi/issues/397. We also added this to our FAQ recently - see https://pulumi.io/reference/faq.html#are-my-secrets-ever-visible.
i
is the checkpoint stored encrypted by pulumi?
w
Yes - all checkpoint files are encrypted at rest in our backend storage (S3). We will likely go further and encrypt with a per-user key on top of this in the near future. /cc also @bitter-oil-46081.
i
ok that was the main question I had after reading the faqs
w
Makes sense - we'll add a note on that to the FAQ.
i
ok that helps me understand the situation much better now, thanks for your help 👍