https://pulumi.com logo
Title
b

bland-lamp-16797

04/07/2021, 9:52 AM
If I store password using
PULUMI_CONFIG_PASSPHRASE_FILE
, how safe would be so store ciphertext publicly? Didn't look at code/docs, which encryption does it use? This question also applys if i store it with KMS (gcp/aws)?
b

broad-dog-22463

04/07/2021, 10:29 AM
Hi @bland-lamp-16797 That passphrase file doesnโ€™t take its account any security measures so we suggest to not check that into source control!!! If you create a secrets provider with the gcp or kms providers that updates the stack yaml then that is safe to check in to source control
๐Ÿ‘ 1
b

bland-lamp-16797

04/07/2021, 1:16 PM
thanks for the answer! So if we would store with GCP KMS you think it's fine to save ciphertext in git? Although this is not specific question to pulumi but more to personal preference or the companies security audit. If anyone interested, pulumi has nice docs[1] about it. Yet, I can't find what kind of encryption it is using as default, I assume AES 256? [1] https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption
b

broad-dog-22463

04/07/2021, 1:31 PM
So we actually delegate to google/go-cloud for this - https://github.com/pulumi/pulumi/blob/master/pkg/secrets/cloud/manager.go#L56
๐Ÿ™ 1
๐Ÿ‘ 2
๐Ÿ” 1