This message was deleted.
# pulumi-cloud
s
This message was deleted.
f
Could a Pulumi employee comment on this? Thanks.
b
Hi Chris, sorry i missed this. for questions like this, its better to email support@pulumi.com - i dont have an answer offhand as i dont have production access. we have security whitepapers and other information we can share via your account executive
f
@billowy-army-68599 OK, sounds good; thanks for the pointer!
Just to close the loop, in case others have the same question come across this thread in the future, here is the reply from Support:
Pulumi engineers carrying out on call shifts have access to the production environment that contains KMS keys used to encrypt secrets. Access to this environment is tracked and audited.
l
The full response:
Pulumi engineers carrying out on call shifts have access to the production environment that contains KMS keys used to encrypt secrets. Access to this environment is tracked and audited. You can use an alternative encryption provider with the Pulumi Service and manage the keys yourself. In this case, your encryption keys are fully managed by you and never stored within pulumi production environments. See: https://www.pulumi.com/docs/intro/concepts/secrets/#initializing-a-stack-with-alternative-encryption