From 8f601b83d72125667a323e9e4cdebcad812e5050 Mon Sep 17 00:00:00 2001
From: Liam Pietralla <liam.pietralla@gmail.com>
Date: Fri, 27 Mar 2026 08:40:45 +1100
Subject: [PATCH] opentofu encryption

---
 .vitepress/config.mts            |  8 ++++++
 docs/index.md                    |  4 +++
 docs/opentofu/encrypted-state.md | 44 ++++++++++++++++++++++++++++++++
 docs/opentofu/index.md           |  3 +++
 4 files changed, 59 insertions(+)
 create mode 100644 docs/opentofu/encrypted-state.md
 create mode 100644 docs/opentofu/index.md

diff --git a/.vitepress/config.mts b/.vitepress/config.mts
index 6db41c8..73d9c71 100644
--- a/.vitepress/config.mts
+++ b/.vitepress/config.mts
@@ -142,6 +142,14 @@ export default defineConfig({
           { text: 'Custom Fetch', link: '/nuxt/custom-fetch' },
         ]
       },
+      {
+        text: 'OpenTofu',
+        link: '/opentofu/',
+        collapsed: true,
+        items: [
+          { text: 'Encrypted State', link: '/opentofu/encrypted-state' },
+        ]
+      },
       {
         text: 'Postgres',
         link: '/postgres/',
diff --git a/docs/index.md b/docs/index.md
index adef482..3a0e5aa 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -58,6 +58,10 @@ hero:
       text: Nuxt
       link: /nuxt/
 
+    - theme: alt
+      text: OpenTofu
+      link: /opentofu/
+
     - theme: alt
       text: Postgres
       link: /postgres/
diff --git a/docs/opentofu/encrypted-state.md b/docs/opentofu/encrypted-state.md
new file mode 100644
index 0000000..04d2e28
--- /dev/null
+++ b/docs/opentofu/encrypted-state.md
@@ -0,0 +1,44 @@
+# OpenTofu Encrypted State
+
+Encrypted state is a very exciting feature of OpenTofu that allows you to encrypt your state files at rest, so you can check them into version control without worrying about sensitive data being exposed. 
+
+## Setup
+
+To use encrypted state you need to setup an `encryption` block in your `terraform` configuration. This block specifies the encryption provider and the key to use for encryption.
+
+```hcl
+terraform {
+  encryption {
+    key_provider "pbkdf2" "key_provider" {
+      passphrase = var.encryption_passphrase
+    }
+
+    method "aes_gcm" "method" {
+      keys = key_provider.pbkdf2.key_provider
+    }
+
+    state {
+      method = method.aes_gcm.method
+      enforced = true
+    }
+
+    plan {
+      method = method.aes_gcm.method
+      enforced = true
+    }
+  }
+}
+```
+
+In this example we will need to provide a passphrase in our `you.auto.tfvars` file:
+
+```hcl
+encryption_passphrase = "my-super-secret-passphrase"
+```
+
+or in CI we can run it as an environment variable:
+
+```bash
+export TF_VAR_encryption_passphrase="my-super-secret-passphrase"
+```
+
diff --git a/docs/opentofu/index.md b/docs/opentofu/index.md
new file mode 100644
index 0000000..62c20d8
--- /dev/null
+++ b/docs/opentofu/index.md
@@ -0,0 +1,3 @@
+# OpenTofu Snippets and Musings
+
+#### [Encrypted State](./encrypted-state.md)
\ No newline at end of file