{"id":"a4b2106a-818a-4dc4-a0cb-00699d25a8aa","task":"Use OpenTofu native state encryption to encrypt Terraform-compatible state at rest with a passphrase-derived key before storing in an S3-compatible backend","domain":"opentofu.org","steps":["Upgrade the project to use OpenTofu and add an encryption block to the OpenTofu configuration specifying the key_provider as pbkdf2 with a passphrase reference to an environment variable or input variable","Configure the method block within encryption to use the AES-GCM encryption method and reference the key provider by its label","Set the state_file and plan_file targets in the encryption block to apply the encryption method to both state and plan files","Run tofu init and tofu plan to confirm no errors and that the encryption configuration is accepted, then run tofu apply to produce the first encrypted state file in the backend","Verify that the state file stored in the S3 bucket is binary-encrypted and not human-readable JSON, and test decryption by running tofu state list which requires the passphrase to be available"],"gotchas":["OpenTofu state encryption is not compatible with standard Terraform; once a state file is encrypted with OpenTofu, it cannot be read by the Terraform CLI, making migration back to Terraform require explicit decryption before switching tools","If the passphrase environment variable is not set when running OpenTofu commands, the CLI fails with a key provider error that may not clearly indicate the missing passphrase — always document the required environment variable in the project README and CI pipeline","OpenTofu's pbkdf2 key derivation uses a random salt stored alongside the encrypted state; if the salt is lost or the state file is corrupted, the state cannot be recovered even with the correct passphrase"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/a4b2106a-818a-4dc4-a0cb-00699d25a8aa"}