sparse-intern-71089
05/23/2022, 8:19 PMfew-wolf-27303
05/23/2022, 8:42 PMorange-policeman-59119
05/23/2022, 8:42 PMpbkdf2
with 1 million rounds and a per-environment salt. This function is provided by the official golang package golang.org/x/crypto/pbkdf2
The encryption algorithm is AES256GCM, which was created using crypto/aes
and crypto/cipher
. The nonce is randomly generated via cryptorand.Read
orange-policeman-59119
05/23/2022, 8:46 PMfaint-balloon-33174
05/23/2022, 8:49 PMorange-policeman-59119
05/23/2022, 8:50 PMorange-policeman-59119
05/23/2022, 8:53 PMVarious Pulumi editions offer configurable secrets management options. By default, the Pulumi-hosted backend (app.pulumi.com) manages per-stack AWS KMS-based encryption keys on the server. All secrets are sent over HTTPS to app.pulumi.com, and the backend uses AES256GCM to encrypt values with the stack-specific key.