You can do local state and secrets. Our documentation and support for this is sadly not as good as for the service but improving local support is one of our goals for this quarter.
pulumi login has docs on how to login to use local state, either stored in a file or a s3 or other blob storage.
pulumi stack init has docs on how to configure a stack to use other secrets providers, including just using a given password for symmetric encryption.