Pulumi has introduced enhanced features for managing secrets with its latest 0.17.12 release, focusing on providing users with greater control over encryption within Pulumi deployments. The release includes automatic tracking of secret values throughout a Pulumi program to ensure they remain encrypted in the state file, regardless of usage, as well as a new option for custom client-side encryption, allowing users to manage their encryption keys independently of the Pulumi backend. These advancements address concerns from users who seek more control over encryption and security compliance, enabling them to use Pulumi's cloud infrastructure management with increased confidence. Pulumi allows secrets to be handled securely through its Output<T> feature, which marks data as secret, ensuring its encryption and preventing leaks. The introduction of passphrase-based encryption gives users further flexibility by allowing them to encrypt secrets locally, using a derived key, rather than relying on Pulumi's managed keys, with future plans to support AWS KMS, Azure KeyVault, and GCP KMS for encryption.