Pulumi secrets are encrypted in stack state, unlike Terraform outputs

Storing secrets (database passwords, API keys) as plain Pulumi config values saves them unencrypted in Pulumi.<stack>.yaml. Reading sensitive resource outputs (like a generated password) stores them unencrypted in state, similar to Terraform.

Mark secret config values with --secret flag to encrypt them in the stack config file. Use pulumi.secret() to mark outputs as sensitive so Pulumi encrypts them in state.

# Set a secret config value (encrypted in Pulumi.<stack>.yaml)
pulumi config set --secret dbPassword "s3cr3t!"

import * as pulumi from "@pulumi/pulumi";
import * as random from "@pulumi/random";

const config = new pulumi.Config();
// Access secret — value is a pulumi.Output<string>, never plain string
const dbPassword = config.requireSecret("dbPassword");

// Mark a generated value as secret
const generatedPassword = new random.RandomPassword("db-pass", {
  length: 24,
  special: true,
});

export const dbPasswordOut = pulumi.secret(generatedPassword.result);

Pulumi uses the stack's encryption provider (Pulumi Service, AWS KMS, or a passphrase) to encrypt secret values in state and config. This is a built-in security model, unlike Terraform which requires an external Vault integration for secrets.

Managing sensitive configuration values in Pulumi stacks