How does Pulumi's secrets encryption work? Which protocols, hashing algos, key sizes, etc are used
b
billowy-army-68599
03/30/2022, 3:40 PM
Hi @agreeable-king-2755, I assume you mean for the pulumi service?
a
agreeable-king-2755
03/30/2022, 3:40 PM
yes
b
billowy-army-68599
03/30/2022, 3:43 PM
we use AES256GCM to encrypt values with the stack-specific key.
It uses AWS KMS behind the scenes.
If you need more information, we have a security whitepaper we can share, but you'd need to engage with an account executive
a
agreeable-king-2755
03/30/2022, 3:47 PM
thanks. So I guess it is OK to put Pulumi.*.yaml in public source control , if it has hashed secrets?
thanks very much for the reply
b
billowy-army-68599
03/30/2022, 3:48 PM
it is indeed, I do it myself 🙂 if you want extra control, you can always init the stack with your own KMS key