orange-policeman-5911901/27/2019, 12:34 AM
CLI - the default pulumi.com backend (which manages state and secrets at pulumi.com), and an optional local backend (which manages state and secrets locally on the developer machine).
The pulumi.com backend manages keys on the server (currently using AWS KMS), with per-stack encryption keys. Config secrets are sent in plain text (over HTTPS) to the pulumi.com backend. On the backend, we currently use AES256GCM to encrypt values with the stack key.
The local backend manages keys on the client machine using a passphrase + salt. This also uses AES256GCM, but with a key derived using pbkdf2 from the passphrase provided on each invocation of the
CLI (or from environment variable).
You can see the core implementation of these at https://github.com/pulumi/pulumi/blob/dee2c37d9d053ff6b9291e2256308925a386bdef/cmd/new.go#L772-L782 (and in the implementations of the two functions referenced there for each of the two backends).
In terms of upcoming changes:
* In the very near term, we will add the ability to use a local-passphase encryption option even when using pulumi.com for state storage. This will decouple the choice of using pulumi.com to manage state and to manage encryption. See https://github.com/pulumi/pulumi/issues/1867.
* In the slightly further (but still near) term, we will be adding the ability to use a pluggable secret store - so that the acquisition of secret values can be done entirely outside of Pulumi - for example, secrets stored in AWS Secrets Manager could be used as a source of values for a config setting, and the client machine would make calls to Secrets Manager when it needed to access the values for use in doing a deployment (using the AWS role/credentials provided for deployment on the local machine as normal). See https://github.com/pulumi/pulumi/issues/1547.
orange-policeman-5911901/31/2019, 7:28 PM
orange-policeman-5911902/01/2019, 9:11 PM