Pulumi: Setting passphase as an environment variable

2 min read | by Jordi Prats

When creating a new pulimi stack you can set a passphase (--secrets-provider) so that both configuration secrets and secrets stored in the state file should be encrypted using a key derived from a passphrase: To be able to use pulumi up you'll have to provide this passphrase. If you don't want to provide it interactively, you can use an environment variable to set it.

Pulumi will read the PULUMI_CONFIG_PASSPHRASE environment variable to get the passphrase, so that you don't have to type your passphrase over and over again. This not only saves time but also ensures consistency and reliability, especially when integrating Pulumi into your continuous integration (CI) pipelines.

PULUMI_CONFIG_PASSPHRASE="Example-Pulumi-Passphase" pulumi up

When you use a passphrase, pulumi will use PBKDF2 (Password-Based Key Derivation Function 2) to derive a 32 byte encryption key, and then use AES-256-GCM (Advanced Encryption Standard with 256-bit key length and Galois/Counter Mode) to encrypt your value (using a random 12 byte nonce per value encrypted).

Posted on 28/08/2023