https://pulumi.com
Join Slack
This message was deleted.
# general
s
This message was deleted.
f
o
For the passphrase based cryptography, I can point you here: https://github.com/pulumi/pulumi/blob/5528cde977ff1006895ad1a56b089a3ff43a3d90/sdk/go/common/resource/config/crypt.go#L151-L158 https://github.com/pulumi/pulumi/blob/5528cde977ff1006895ad1a56b089a3ff43a3d90/sdk/go/common/resource/config/crypt.go#L168 The key derivation function is 
pbkdf2
with 1 million rounds and a per-environment salt. This function is provided by the official golang package golang.org/x/crypto/pbkdf2 The encryption algorithm is AES256GCM, which was created using 
crypto/aes
and 
crypto/cipher
. The nonce is randomly generated via 
cryptorand.Read
& as @few-wolf-27303 pointed you to, for different providers we may use different algorithms, such as RSA-OEAP-256 for azure key vault. For each of the backend services, you'll need to refer to their documentation. For the Pulumi Service's cryptography, I can refer you to our internal folks as I'm not sure what we disclose there.
f
I'm looking for the details of the default (non-password) cryptography that Pulumi provides, the first link appears to relate to non-default secret providers.
o
Got it, yeah, let me see if I can provide you some info. Are you asking on behalf of a current or prospective business customer?
Ah, it looks like we've published our whitepaper as a link on our security page: https://www.pulumi.com/security/ & https://www.pulumi.com/security/pulumi-cloud-security-whitepaper.pdf
Various Pulumi editions offer configurable secrets management options. By default, the Pulumi-hosted backend (app.pulumi.com) manages per-stack AWS KMS-based encryption keys on the server. All secrets are sent over HTTPS to app.pulumi.com, and the backend uses AES256GCM to encrypt values with the stack-specific key.
9 Views
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by