No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Is it possible to run pulumi locally comparable to terraform?
I don't want to use a SaaS for storing sensitive state.

check this: <https://www.pulumi.com/docs/intro/concepts/state/#logging-into-the-local-filesystem-backend>

<@U02JSBTGXBR> don't hesitate to use the hosted platform to store your state, even secrets, but take control over how to encrypt sensitive data using Encryption Providers.
<https://www.pulumi.com/docs/intro/concepts/secrets/>

I say this because there are still numerous problems with self-managed state backends: <https://github.com/pulumi/pulumi/issues/4605>

So save yourself some time fighting over bugs or inconsistencies, use the hosted platform (no, I don't get paid to say this) but configure your own encryption provider.

<@UK4HNFLCB> you seem to be quite experienced with this one so I’m gonna ask (I was about to check it myself but I haven’t got any time to do this): when you use custom encryption provider (like KMS or Vault), does it mean that:
• all the password are stored there
OR
• password are still stored (encrypted) in Pulumi Service but the encryption key is provided by encryption provider

<@U0288KYUB7C> the latter one: encrypted data is stored in Pulumi Service, but you own the encryption key, not Pulumi Corp.

that’s what I thought (since the name “encryption provider” and not “secret storage provider” for example)

Out of curiosity: is that still a problem for you?

not for me really (right now, we’re using Pulumi Service for encryption as well)

but once we had a discussion on this Slack where the company policy forbids storing (encrypted) passwords outside of the company managed resources (even if encryption key is provided)

I understand. Although not strictly forbidden due to this split, we try to limit it as much as possible.

I would love to hear feedback about how we could make this more palatable to infosec orgs.

I wish I could help but I haven’t worked with such restrictions yet. I think most people are happy with Pulumi Service. Providing your own encryption key should be more than enough for the rest. If your company requires everything to be hosted by you… you probably should have Enteprise version of pulumi deployed on-premise (it’s supported, isn’t it?).

To be fair using the GCS backend seems to do what I want :thumbsup:  Or will that still use the SaaS?