45 lines
1.1 KiB
Markdown
45 lines
1.1 KiB
Markdown
# OpenTofu Encrypted State
|
|
|
|
Encrypted state is a very exciting feature of OpenTofu that allows you to encrypt your state files at rest, so you can check them into version control without worrying about sensitive data being exposed.
|
|
|
|
## Setup
|
|
|
|
To use encrypted state you need to setup an `encryption` block in your `terraform` configuration. This block specifies the encryption provider and the key to use for encryption.
|
|
|
|
```hcl
|
|
terraform {
|
|
encryption {
|
|
key_provider "pbkdf2" "key_provider" {
|
|
passphrase = var.encryption_passphrase
|
|
}
|
|
|
|
method "aes_gcm" "method" {
|
|
keys = key_provider.pbkdf2.key_provider
|
|
}
|
|
|
|
state {
|
|
method = method.aes_gcm.method
|
|
enforced = true
|
|
}
|
|
|
|
plan {
|
|
method = method.aes_gcm.method
|
|
enforced = true
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
In this example we will need to provide a passphrase in our `you.auto.tfvars` file:
|
|
|
|
```hcl
|
|
encryption_passphrase = "my-super-secret-passphrase"
|
|
```
|
|
|
|
or in CI we can run it as an environment variable:
|
|
|
|
```bash
|
|
export TF_VAR_encryption_passphrase="my-super-secret-passphrase"
|
|
```
|
|
|