OpenTofu Encrypted State

Encrypted state is a very exciting feature of OpenTofu that allows you to encrypt your state files at rest, so you can check them into version control without worrying about sensitive data being exposed.

Setup

To use encrypted state you need to setup an encryption block in your terraform configuration. This block specifies the encryption provider and the key to use for encryption.

terraform {
  encryption {
    key_provider "pbkdf2" "key_provider" {
      passphrase = var.encryption_passphrase
    }

    method "aes_gcm" "method" {
      keys = key_provider.pbkdf2.key_provider
    }

    state {
      method = method.aes_gcm.method
      enforced = true
    }

    plan {
      method = method.aes_gcm.method
      enforced = true
    }
  }
}

In this example we will need to provide a passphrase in our you.auto.tfvars file:

encryption_passphrase = "my-super-secret-passphrase"

or in CI we can run it as an environment variable:

export TF_VAR_encryption_passphrase="my-super-secret-passphrase"