opentofu encryption

.vitepress/config.mts

@@ -142,6 +142,14 @@ export default defineConfig({
           { text: 'Custom Fetch', link: '/nuxt/custom-fetch' },
         ]
       },
+      {
+        text: 'OpenTofu',
+        link: '/opentofu/',
+        collapsed: true,
+        items: [
+          { text: 'Encrypted State', link: '/opentofu/encrypted-state' },
+        ]
+      },
       {
         text: 'Postgres',
         link: '/postgres/',

docs/index.md

@@ -58,6 +58,10 @@ hero:
       text: Nuxt
       link: /nuxt/
 
+    - theme: alt
+      text: OpenTofu
+      link: /opentofu/
+
     - theme: alt
       text: Postgres
       link: /postgres/

docs/opentofu/encrypted-state.md

@@ -0,0 +1,44 @@
+# OpenTofu Encrypted State
+
+Encrypted state is a very exciting feature of OpenTofu that allows you to encrypt your state files at rest, so you can check them into version control without worrying about sensitive data being exposed. 
+
+## Setup
+
+To use encrypted state you need to setup an `encryption` block in your `terraform` configuration. This block specifies the encryption provider and the key to use for encryption.
+
+```hcl
+terraform {
+  encryption {
+    key_provider "pbkdf2" "key_provider" {
+      passphrase = var.encryption_passphrase
+    }
+
+    method "aes_gcm" "method" {
+      keys = key_provider.pbkdf2.key_provider
+    }
+
+    state {
+      method = method.aes_gcm.method
+      enforced = true
+    }
+
+    plan {
+      method = method.aes_gcm.method
+      enforced = true
+    }
+  }
+}
+```
+
+In this example we will need to provide a passphrase in our `you.auto.tfvars` file:
+
+```hcl
+encryption_passphrase = "my-super-secret-passphrase"
+```
+
+or in CI we can run it as an environment variable:
+
+```bash
+export TF_VAR_encryption_passphrase="my-super-secret-passphrase"
+```
+

docs/opentofu/index.md

@@ -0,0 +1,3 @@
+# OpenTofu Snippets and Musings
+
+#### [Encrypted State](./encrypted-state.md)