# OpenTofu Encrypted State

Encrypted state is a very exciting feature of OpenTofu that allows you to encrypt your state files at rest, so you can check them into version control without worrying about sensitive data being exposed. 

## Setup

To use encrypted state you need to setup an `encryption` block in your `terraform` configuration. This block specifies the encryption provider and the key to use for encryption.

```hcl
terraform {
  encryption {
    key_provider "pbkdf2" "key_provider" {
      passphrase = var.encryption_passphrase
    }

    method "aes_gcm" "method" {
      keys = key_provider.pbkdf2.key_provider
    }

    state {
      method = method.aes_gcm.method
      enforced = true
    }

    plan {
      method = method.aes_gcm.method
      enforced = true
    }
  }
}
```

In this example we will need to provide a passphrase in our `you.auto.tfvars` file:

```hcl
encryption_passphrase = "my-super-secret-passphrase"
```

or in CI we can run it as an environment variable:

```bash
export TF_VAR_encryption_passphrase="my-super-secret-passphrase"
```