thanks for the answer!
So if we would store with GCP KMS you think it's fine to save ciphertext in git?
Although this is not specific question to pulumi but more to personal preference or the companies security audit.
If anyone interested, pulumi has nice docs[1] about it. Yet, I can't find what kind of encryption it is using as default, I assume AES 256?
[1]
https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption