This message was deleted.

check this: https://www.pulumi.com/docs/intro/concepts/state/#logging-into-the-local-filesystem-backend

@bumpy-bear-61087 don't hesitate to use the hosted platform to store your state, even secrets, but take control over how to encrypt sensitive data using Encryption Providers. https://www.pulumi.com/docs/intro/concepts/secrets/

@limited-rainbow-51650 you seem to be quite experienced with this one so I’m gonna ask (I was about to check it myself but I haven’t got any time to do this): when you use custom encryption provider (like KMS or Vault), does it mean that: • all the password are stored there OR • password are still stored (encrypted) in Pulumi Service but the encryption key is provided by encryption provider

@prehistoric-activity-61023 the latter one: encrypted data is stored in Pulumi Service, but you own the encryption key, not Pulumi Corp.

that’s what I thought (since the name “encryption provider” and not “secret storage provider” for example)

Out of curiosity: is that still a problem for you?

not for me really (right now, we’re using Pulumi Service for encryption as well)

I understand. Although not strictly forbidden due to this split, we try to limit it as much as possible.

I would love to hear feedback about how we could make this more palatable to infosec orgs.

I wish I could help but I haven’t worked with such restrictions yet. I think most people are happy with Pulumi Service. Providing your own encryption key should be more than enough for the rest. If your company requires everything to be hosted by you… you probably should have Enteprise version of pulumi deployed on-premise (it’s supported, isn’t it?).

To be fair using the GCS backend seems to do what I want 👍 Or will that still use the SaaS?

it won't use the SaaS no