This builds on Joe's question: In the stack config files, the encryption salt and the secret are both saved in the file like so:

encryptionsalt: v1:xyz==
config:
  my-project:secretConfig:
    secure: v1:DtxM

Doesn't this pose a security challenge? In what other ways can this be done?

My understanding is that it makes it susceptible to a brute force attack. Meaning your secret encoded in the Pulumi.yaml file is only as secure as the passphrase you are using. (Whereas longer is exponentially more difficult to break.) However, Pulumi provides a pluggable secrets model. So if you wish to use a more robust way for securing sensitive data outside of a single passphrase, you can use Azure Key Vault, AWS Key Management Services, and other software to manage the data. https://www.pulumi.com/docs/intro/concepts/config/#configuring-secrets-encryption

Thanks @colossal-beach-47527. I have tried using a KeyVault secrets provider using the command

pulumi stack init dev --secrets-provider="<azurekeyvault://uri-to-the-key>"

But that fails with an error

error: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to my-keyvault-uri: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = connectex: A socket operation was attempted to an unreachable network.'

@plain-eye-9759 unfortunately I don’t have any additional information to help you there. Could you please file an issue in github.com/pulumi/pulumi and we can route it to someone on the team who might be able to help troubleshoot the issue? I assume it’s something related to making the network request to Azure… but why that would fail (and with that specific error message) isn’t clear. (Or even what address it is trying to connect to.)