👋 Hi everyone, I'm new to Pulumi and I am trying to figure out if there is a way to prevent sensitive property values from being saved in the backend state (such as by only storing a cryptographic hash, for example). My use case is that I am trying to setup DigitalOcean droplets in such a way that I can configure them with Ansible without skipping host key checking when connecting to them (

-o StrictHostKeyChecking=no

). One way to achieve this is to generate the Droplet host keys locally on my PC then apply them to the Droplets using the

user_data

droplet property. I could then add the host public keys to the Pulumi stack output and configure Ansible to check the hosts against those public keys when connecting. But, running

pulumi stack export

shows that the original

#cloud-config

file, including the private keys, is being stored in the stack state. Although I understand that the data is encrypted, storing these files is unnecessary and so I would prefer not to store them. Can I tell Pulumi to store the hashes and not the original contents of resource properties? Thank you.

Hey Welcome :) you will be able to use the secret engine built into Pulumi to do this import * as pulumi from "@pulumi/pulumi"; import * as random from "@pulumi/random"; const username = new random.RandomString("my-string", { length: 16, special: true, }, { // RandomString has an output of 'result' where the string actually is stored additionalSecretOutputs: ["result"] }); export const secret = username.result;

Hi, thanks for the response

No that also encrypts in the state as well

Is this two way encryption or is it a one way hash?

2 way as the engine will know how to decrypt it

I can see that this is quite secure

Pulumi have a number of secrets providers