If I store password using

PULUMI_CONFIG_PASSPHRASE_FILE

, how safe would be so store ciphertext publicly? Didn't look at code/docs, which encryption does it use? This question also applys if i store it with KMS (gcp/aws)?

Hi @bland-lamp-16797 That passphrase file doesn’t take its account any security measures so we suggest to not check that into source control!!! If you create a secrets provider with the gcp or kms providers that updates the stack yaml then that is safe to check in to source control

thanks for the answer! So if we would store with GCP KMS you think it's fine to save ciphertext in git? Although this is not specific question to pulumi but more to personal preference or the companies security audit. If anyone interested, pulumi has nice docs[1] about it. Yet, I can't find what kind of encryption it is using as default, I assume AES 256? [1] https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption

So we actually delegate to google/go-cloud for this - https://github.com/pulumi/pulumi/blob/master/pkg/secrets/cloud/manager.go#L56