https://pulumi.com logo
Title
a

agreeable-king-2755

03/30/2022, 3:38 PM
How does Pulumi's secrets encryption work? Which protocols, hashing algos, key sizes, etc are used
b

billowy-army-68599

03/30/2022, 3:40 PM
Hi @agreeable-king-2755, I assume you mean for the pulumi service?
a

agreeable-king-2755

03/30/2022, 3:40 PM
yes
b

billowy-army-68599

03/30/2022, 3:43 PM
we use AES256GCM to encrypt values with the stack-specific key. It uses AWS KMS behind the scenes. If you need more information, we have a security whitepaper we can share, but you'd need to engage with an account executive
a

agreeable-king-2755

03/30/2022, 3:47 PM
thanks. So I guess it is OK to put Pulumi.*.yaml in public source control , if it has hashed secrets?
thanks very much for the reply
b

billowy-army-68599

03/30/2022, 3:48 PM
it is indeed, I do it myself 🙂 if you want extra control, you can always init the stack with your own KMS key
pulumi stack init <awskms://key>
a

agreeable-king-2755

03/30/2022, 3:49 PM
nice one, thanks 👍