LiamPietralla/code-snippets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

opentofu encryption
All checks were successful
Build, Test & Publish / Build (push) Successful in 55s
Details
Build, Test & Publish / Build and Publish Container Image (push) Successful in 37s
Details
Build, Test & Publish / Deploy to Infrastructure (push) Successful in 30s
Details

Browse Source
This commit is contained in:
Liam Pietralla
2026-03-27 08:40:45 +11:00
parent 30ffa17752
commit 8f601b83d7
4 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/opentofu/encrypted-state.md Normal file
View File

@@ -0,0 +1,44 @@
# OpenTofu Encrypted State
Encrypted state is a very exciting feature of OpenTofu that allows you to encrypt your state files at rest, so you can check them into version control without worrying about sensitive data being exposed.
## Setup
To use encrypted state you need to setup an `encryption` block in your `terraform` configuration. This block specifies the encryption provider and the key to use for encryption.
```hcl
terraform {
encryption {
key_provider "pbkdf2" "key_provider" {
passphrase = var.encryption_passphrase
}
method "aes_gcm" "method" {
keys = key_provider.pbkdf2.key_provider
}
state {
method = method.aes_gcm.method
enforced = true
}
plan {
method = method.aes_gcm.method
enforced = true
}
}
}
```
In this example we will need to provide a passphrase in our `you.auto.tfvars` file:
```hcl
encryption_passphrase = "my-super-secret-passphrase"
```
or in CI we can run it as an environment variable:
```bash
export TF_VAR_encryption_passphrase="my-super-secret-passphrase"
```

3
docs/opentofu/index.md Normal file
View File

@@ -0,0 +1,3 @@
# OpenTofu Snippets and Musings
#### [Encrypted State](./encrypted-state.md)