tls.PrivateKey not encrypted

Question

tls.PrivateKey not encrypted

brandonkal opened this issue 5 years ago · 3 comments

I know this is the same with Terraform, but having Pulumi use the stack's encryption would provide some extra security, even if it a shared passphrase.

In other words, I would suggest the effect of this be the default.

import * as tls from '@pulumi/tls'

export const cert = new tls.PrivateKey(
  'cert',
  {
    algorithm: 'ECDSA',
    ecdsaCurve: 'P256',
  },
  {
    additionalSecretOutputs: ['privateKeyPem'],
  }
)

I would like to use something like Bitnami Sealed Secrets for this so that the encryption is effectively one-way on the developer machine. That would require somehow using just the provider and passing that to a command before saving it.

Answer 1 · 2019-12-02T21:29:42.000Z

In other words, I would suggest the effect of this be the default.

This is tracked by pulumi/pulumi-terraform-bridge#10.

I would like to use something like Bitnami Sealed Secrets for this so that the encryption is effectively one-way on the developer machine. That would require somehow using just the provider and passing that to a command before saving it.

Can you elaborate on this a bit more?

Answer 2 · 2019-12-03T00:18:00.000Z

Sure. I would like the option to use public/private crypto rather than effectively a shared passphrase. So a developer could encrypt a secret but then could not decrypt it.

Like how one cannot retrieve an app specific password from an email client after entering it.

Sealed Secrets handle this for k8s. But to make it seemless, pulumi would provide an API to detect and then use the generated secret created with the same name when a sealed secret is created (and thus decrypted by k8s).

Answer 3 · 2022-04-13T12:11:33.000Z

Going to close this out, we do encrypt this by default now

     Type                     Name                     Status
 +   pulumi:pulumi:Stack      test-tls-privatekey-dev  created
 +   └─ tls:index:PrivateKey  cert                     created

Outputs:
    cert: {
        algorithm                 : "ECDSA"
        ecdsaCurve                : "P256"
        id                        : "37babe450b9038dd3722cae6d7528ff0e0133285"
        privateKeyOpenssh         : "[secret]"
        privateKeyPem             : "[secret]"
        publicKeyFingerprintMd5   : "72:68:86:5d:10:eb:32:a3:c6:04:45:fc:b3:de:e3:19"
        publicKeyFingerprintSha256: "SHA256:LN1Go/MedU0JbbSjCXynR70inRgDanV3gl8M83O1e5c"
        publicKeyOpenssh          : "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDADfkEIqFDLilF/oOcbY2zNV/uiFrLd24UXhRBXt3yhHkEqgdUHEaNq3asLqDpuzYRxlDop5ZiZ+pIWdBaI9OA=\n"
        publicKeyPem              : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMAN+QQioUMuKUX+g5xtjbM1X+6IW\nst3bhReFEFe3fKEeQSqB1QcRo2rdqwuoOm7NhHGUOinlmJn6khZ0Foj04A==\n-----END PUBLIC KEY-----\n"
        rsaBits                   : 2048
        urn                       : "urn:pulumi:dev::test-tls-privatekey::tls:index/privateKey:PrivateKey::cert"
    }

Resources:
    + 2 created

Duration: 6s