No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi <@U012NSFQTDW> 

That passphrase file doesn’t take its account any security measures so we suggest to not check that into source control!!!

If you create a secrets provider with the gcp or kms providers that updates the stack yaml then that is safe to check in to source control 

thanks for the answer!
So if we would store with GCP KMS you think it's fine to save ciphertext in git?

Although this is not specific question to pulumi but more to personal preference or the companies security audit.

If anyone interested, pulumi has nice docs[1] about it. Yet, I can't find what kind of encryption it is using as default, I assume AES 256?

[1] <https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption>

So we actually delegate to google/go-cloud for this - <https://github.com/pulumi/pulumi/blob/master/pkg/secrets/cloud/manager.go#L56>