How does Pulumi's secrets encryption work? Which protocols, hashing algos, key sizes, etc are used

Hi @agreeable-king-2755, I assume you mean for the pulumi service?

yes

we use AES256GCM to encrypt values with the stack-specific key. It uses AWS KMS behind the scenes. If you need more information, we have a security whitepaper we can share, but you'd need to engage with an account executive

thanks. So I guess it is OK to put Pulumi.*.yaml in public source control , if it has hashed secrets?

it is indeed, I do it myself 🙂 if you want extra control, you can always init the stack with your own KMS key

pulumi stack init <awskms://key>

nice one, thanks 👍