Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
a
agreeable-king-2755
03/30/2022, 3:38 PMHow does Pulumi's secrets encryption work? Which protocols, hashing algos, key sizes, etc are used
b
billowy-army-68599
03/30/2022, 3:40 PMHi @agreeable-king-2755, I assume you mean for the pulumi service?
a
agreeable-king-2755
03/30/2022, 3:40 PMyes
b
billowy-army-68599
03/30/2022, 3:43 PMwe use AES256GCM to encrypt values with the stack-specific key.
It uses AWS KMS behind the scenes.
If you need more information, we have a security whitepaper we can share, but you'd need to engage with an account executive
a
agreeable-king-2755
03/30/2022, 3:47 PMthanks. So I guess it is OK to put Pulumi.*.yaml in public source control , if it has hashed secrets?
thanks very much for the reply
b
billowy-army-68599
03/30/2022, 3:48 PMit is indeed, I do it myself 🙂 if you want extra control, you can always init the stack with your own KMS key
pulumi stack init <awskms://key>a
agreeable-king-2755
03/30/2022, 3:49 PMnice one, thanks 👍