Hi all - QQ: when running pulumi locally, and adding secrets to my

Pulumi.stack.yaml

config, what key/phrase/secret is it using to encrypt the values in the yaml file? I have looked though

~/.config/pulumi

and i cant find anything that resembles a secret....would it be someone else on disk? is it a default? Thanks!

are you using the pulumi cloud backend or something else?

right now I am doing

pulumi up

from the cli, so i assumed it was on disk, but yes, to your point, it it connected up to pulumi cloud but not using deployments or anything else

pulumi cloud handles the encryption for you. if you want to bring your own encryption, you can. use

pulumi stack change-secrets-provider

and you can use a passphrase or cloud KMS key, like AWS KMS

cool, thank you. So I can answer my security team correctly tho, is there a place i can go in pulumi cloud and rotate a key? I am fine with pulumi cloud handling the encryption, i just need to know some specifics about it. I assume i can find that in the docs somewhere, so ill take a look

the key is fully managed by Pulumi, so you can’t change it or rotate it manually, no. if you need that capability, I’d recommend using your own keys

very good, thanks for the info!