A question was just raised internally: do Pulumi employees have the ability (or can they be given the ability) to decrypt stack secrets that are encrypted with the default Pulumi Service encryption backend? I was having trouble finding a definitive statement about this in the online documentation (though I may have missed it). I know that we can swap out secrets backends (https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption) for our projects, but wanted to confirm the situation for the default backend first. Thanks! 🙇

Hi Chris, sorry i missed this. for questions like this, its better to email support@pulumi.com - i dont have an answer offhand as i dont have production access. we have security whitepapers and other information we can share via your account executive

@billowy-army-68599 OK, sounds good; thanks for the pointer!

The full response:

Pulumi engineers carrying out on call shifts have access to the production environment that contains KMS keys used to encrypt secrets. Access to this environment is tracked and audited. You can use an alternative encryption provider with the Pulumi Service and manage the keys yourself. In this case, your encryption keys are fully managed by you and never stored within pulumi production environments. See: https://www.pulumi.com/docs/intro/concepts/secrets/#initializing-a-stack-with-alternative-encryption