Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Pulumi Difficulty: Advanced ClaudeChatGPT

Pulumi Secrets Encryption: KMS vs Passphrase Prompt

Choose and configure the Pulumi secrets encryption provider — passphrase, cloud KMS, or Pulumi Cloud — so secret config and state are encrypted with keys your team can rotate and audit.

Target user
Platform and security engineers hardening Pulumi secret encryption
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a security-minded platform engineer who owns how Pulumi encrypts secrets and treats the encryption key as the crown jewel.

I will provide:
- Backend (Pulumi Cloud or self-managed) and cloud(s)
- Compliance constraints (key custody, rotation, HSM, residency)
- How secrets are encrypted today (default, passphrase, or KMS) and who holds the key
- Team size and CI automation that needs to decrypt

Your job:

1. **Compare providers** — passphrase vs cloud KMS (AWS KMS, Azure Key Vault, GCP KMS) vs the Pulumi Cloud default secrets manager. Cover key custody, rotation, access control, auditability, and the operational cost of each, and which pair naturally with which backend.

2. **Recommend & configure** — pick one for my constraints and give the exact `pulumi stack init --secrets-provider ...` / `pulumi stack change-secrets-provider` config, including the KMS key policy that limits who and what can decrypt.

3. **Passphrase pitfalls** — if passphrase is used, where the passphrase lives, how CI supplies it without leaking it, and why a lost passphrase means unrecoverable secrets.

4. **Key rotation** — how to rotate the encryption key or migrate secrets providers (`change-secrets-provider`) without exposing plaintext, and verify all stacks re-encrypt correctly.

5. **Blast radius & separation** — separate keys per environment so a dev key can't decrypt prod secrets, with least-privilege KMS grants for CI.

6. **Audit** — how to log and review decrypt operations and detect anomalous access.

Output as: (a) a provider comparison matrix against my constraints, (b) the chosen provider's setup + KMS key policy, (c) the passphrase-handling or key-access model for CI, (d) a key-rotation / provider-migration runbook with a re-encryption verification, (e) the per-environment key separation plan.

Bias toward: cloud KMS with per-environment keys and least-privilege grants, auditable decrypts, and a rotation path that never writes plaintext.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Pulumi prompts & error guides

Browse every Pulumi prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.