Pulumi offers a comprehensive system for managing secrets within application configurations, addressing the critical need to secure sensitive information like passwords and API keys. By default, Pulumi encrypts secrets using a per-stack encryption key managed by the Pulumi Service, but it also supports multiple providers for those who prefer to manage their keys independently, such as AWS KMS, Azure Key Vault, and HashiCorp Vault. Users can configure secrets using simple command-line tools and APIs, with options to set secrets directly or use external storage solutions like S3 or Azure Blob Storage. For enhanced security and compliance, Pulumi allows users to switch between encryption providers and even manage their own encryption keys entirely. The flexibility and security of Pulumi's approach make it a robust option for infrastructure configuration management, offering both ease of use and the ability to meet specific organizational security requirements.