Where can I find the specifications of the built-i...
# general
Where can I find the specifications of the built-in secret encryption for Pulumi? I'd like to know the algorithm and key size
For the passphrase based cryptography, I can point you here: https://github.com/pulumi/pulumi/blob/5528cde977ff1006895ad1a56b089a3ff43a3d90/sdk/go/common/resource/config/crypt.go#L151-L158 https://github.com/pulumi/pulumi/blob/5528cde977ff1006895ad1a56b089a3ff43a3d90/sdk/go/common/resource/config/crypt.go#L168 The key derivation function is
with 1 million rounds and a per-environment salt. This function is provided by the official golang package golang.org/x/crypto/pbkdf2 The encryption algorithm is AES256GCM, which was created using
. The nonce is randomly generated via
& as @few-wolf-27303 pointed you to, for different providers we may use different algorithms, such as RSA-OEAP-256 for azure key vault. For each of the backend services, you'll need to refer to their documentation. For the Pulumi Service's cryptography, I can refer you to our internal folks as I'm not sure what we disclose there.
I'm looking for the details of the default (non-password) cryptography that Pulumi provides, the first link appears to relate to non-default secret providers.
Got it, yeah, let me see if I can provide you some info. Are you asking on behalf of a current or prospective business customer?
Ah, it looks like we've published our whitepaper as a link on our security page: https://www.pulumi.com/security/ & https://www.pulumi.com/security/pulumi-cloud-security-whitepaper.pdf
Various Pulumi editions offer configurable secrets management options. By default, the Pulumi-hosted backend (app.pulumi.com) manages per-stack AWS KMS-based encryption keys on the server. All secrets are sent over HTTPS to app.pulumi.com, and the backend uses AES256GCM to encrypt values with the stack-specific key.