Use OpenTofu native state encryption to encrypt Terraform-compatible state at rest with a passphrase-derived key before storing in an S3-compatible backend
Upgrade the project to use OpenTofu and add an encryption block to the OpenTofu configuration specifying the key_provider as pbkdf2 with a passphrase reference to an environment variable or input variable
Configure the method block within encryption to use the AES-GCM encryption method and reference the key provider by its label
Set the state_file and plan_file targets in the encryption block to apply the encryption method to both state and plan files
Run tofu init and tofu plan to confirm no errors and that the encryption configuration is accepted, then run tofu apply to produce the first encrypted state file in the backend
Verify that the state file stored in the S3 bucket is binary-encrypted and not human-readable JSON, and test decryption by running tofu state list which requires the passphrase to be available
Known gotchas
OpenTofu state encryption is not compatible with standard Terraform; once a state file is encrypted with OpenTofu, it cannot be read by the Terraform CLI, making migration back to Terraform require explicit decryption before switching tools
If the passphrase environment variable is not set when running OpenTofu commands, the CLI fails with a key provider error that may not clearly indicate the missing passphrase — always document the required environment variable in the project README and CI pipeline
OpenTofu's pbkdf2 key derivation uses a random salt stored alongside the encrypted state; if the salt is lost or the state file is corrupted, the state cannot be recovered even with the correct passphrase
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp