Fix secrets docs: encryption uses a per-value nonce, not salt

[iwahbe]

Summary

The secrets handling docs described the per-value component of AES-256-GCM encryption as a "salt" when it is actually a "nonce" (number used once). These are distinct cryptographic concepts:

• A salt is used in key derivation functions (like PBKDF2) to ensure the same password produces different keys.
• A nonce (number used once) is a unique value generated per encryption operation in authenticated encryption modes like AES-256-GCM.

The source code is explicit that this is a nonce:

• crypt.go#L157-L158: "The nonce is stored with the value itself as a pair of base64 values separated by a colon"
• crypt.go#L231-L248: The encryptAES256GCGM function generates a random 12-byte nonce per value and returns it alongside the ciphertext.

[claude]

Docs Review

Scope: content/docs/iac/concepts/secrets/_index.md (1 line changed)

Result: No issues found. This is a clean, accurate terminology fix.

The change correctly replaces "salt" with "nonce" on line 202. AES-256-GCM uses a per-value nonce (number used once), not a salt — the PR description provides solid source code references confirming this. The internal link to #configuring-secrets-encryption resolves correctly (line 450). No style, spelling, or formatting issues.

---

If you'd like additional reviews or fixes, mention @claude in a comment.

[pulumi-bot]

Your site preview for commit bff7c06 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18523-bff7c069.s3-website.us-west-2.amazonaws.com

[claude]

Docs Review

Scope: Single-line terminology fix in content/docs/iac/concepts/secrets/_index.md (line 202).

Summary

Approved as a precise, well-sourced correction. The change from "per-value salt" to "per-value nonce" accurately reflects the cryptographic mechanism — AES-256-GCM uses a per-encryption nonce, not a salt. The PR description cites the Pulumi source (crypt.go#L157-L158 and encryptAES256GCGM at L231-L248) confirming a random 12-byte nonce is generated per value.

The two concepts are distinct and the prior wording was technically incorrect:

• Salt: input to key derivation (e.g., PBKDF2) to diversify keys derived from the same password.
• Nonce: unique per-operation input to authenticated encryption (AES-GCM) to ensure ciphertext/tag uniqueness.

Consistency check

I searched the surrounding docs for other occurrences that might need the same fix:

• No other "per-value salt" / "per-stack salt" wording exists in content/.
• encryptionSalt at content/docs/iac/concepts/secrets/_index.md:592 is intentionally left untouched — that refers to the passphrase provider's PBKDF2 salt, which genuinely is a salt. Correctly not changed.

Style

• Sentence-case heading, markdown conventions, and trailing newline unaffected (single-line edit).
• No link, frontmatter, or cross-reference changes needed.

Nit (optional, non-blocking)

For readers unfamiliar with the term, you could consider parenthetically glossing "nonce" the first time it appears — e.g., "a per-value nonce (a number used once)". Purely optional; the linked "Configuring Secrets Encryption" section already provides the deeper context.

LGTM. Mention @claude if you'd like another pass or want the nonce gloss added.