This message was deleted.
# generals
sparse-intern-71089
05/23/2022, 8:19 PMThis message was deleted.
f
few-wolf-27303
05/23/2022, 8:42 PMThis is the code where that is configured in Go: https://github.com/pulumi/pulumi/blob/d320d68014c78c0bd13cdd1b4a1c73059fbd9adb/pkg/cmd/pulumi/util.go#L195
o
orange-policeman-59119
05/23/2022, 8:42 PMFor the passphrase based cryptography, I can point you here:
https://github.com/pulumi/pulumi/blob/5528cde977ff1006895ad1a56b089a3ff43a3d90/sdk/go/common/resource/config/crypt.go#L151-L158
https://github.com/pulumi/pulumi/blob/5528cde977ff1006895ad1a56b089a3ff43a3d90/sdk/go/common/resource/config/crypt.go#L168
The key derivation function is
pbkdf2crypto/aescrypto/ciphercryptorand.Readorange-policeman-59119
05/23/2022, 8:46 PM& as @few-wolf-27303 pointed you to, for different providers we may use different algorithms, such as RSA-OEAP-256 for azure key vault. For each of the backend services, you'll need to refer to their documentation.
For the Pulumi Service's cryptography, I can refer you to our internal folks as I'm not sure what we disclose there.
f
faint-balloon-33174
05/23/2022, 8:49 PMI'm looking for the details of the default (non-password) cryptography that Pulumi provides, the first link appears to relate to non-default secret providers.
o
orange-policeman-59119
05/23/2022, 8:50 PMGot it, yeah, let me see if I can provide you some info. Are you asking on behalf of a current or prospective business customer?
orange-policeman-59119
05/23/2022, 8:53 PMAh, it looks like we've published our whitepaper as a link on our security page:
https://www.pulumi.com/security/
& https://www.pulumi.com/security/pulumi-cloud-security-whitepaper.pdf
Various Pulumi editions offer configurable secrets management options. By default, the Pulumi-hosted backend (app.pulumi.com) manages per-stack AWS KMS-based encryption keys on the server. All secrets are sent over HTTPS to app.pulumi.com, and the backend uses AES256GCM to encrypt values with the stack-specific key.
9 Views