Hello 👋 I've been using pulumi successfully on my mac. I have PULUMI_CONFIG_PASSPHRASE_FILE properly configured. I have now decided to move the code for execution in the cloud. I do not use the pulumi cloud. I am attempting to init pulumi on the remote instance. I set PULUMI_CONFIG_PASSPHRASE_FILE to a file containing a new password. I ran the following on a virgin al2023 ec2 curl -fsSL https://get.pulumi.com | sh pulumi login --local Logged in to inanna as jenova (file://~) pulumi stack init prod Created stack 'prod' pulumi stack init dev error: could not create secrets manager for new stack: incorrect passphrase That's weird, I wonder what hash pulumi is comparing my new password with? I do have a cloud account, but it's completely empty. Huh? So I put the pw in PULUMI_CONFIG_PASSPHRASE_FILE from my mac into PULUMI_CONFIG_PASSPHRASE_FILE on the remote: cmd❯ pulumi stack init dev Created stack 'dev' How is this even possible? Honestly, I don't really care, what I do care about is I overwrite the new 64 hash pw I used to create prod, and now that's locked unable to be accessed with my old pw. pulumi stack rm prod error: no stack named 'prod' found pulumi stack init prod error: could not create secrets manager for new stack: incorrect passphrase Where is my pw sha (hopefully) being stored such that pulumi cli can tell me I'm using the wrong pw?

Where is my pw sha (hopefully) being stored such that pulumi cli can tell me I'm using the wrong pw?

Its part of the stack configuration, the "Pulumi.dev.yaml" file. There's a "encryptionsalt" field in that file which tells the engine what salt to use with the passphrase. If you loose it then you loose access to all the secrets. What I suspect you did here is switched to the new machine and didn't copy the stack files across so it tried to regen a new salt but that then couldn't decrypt the markers in the state file.

Thank you Fraser, my mistake for overlooking those files.