Upgrade to OpenTofu 1.7 or later which introduced the encryption block in the tofu configuration; add a terraform { encryption { } } block in the root module
Inside the encryption block, define a key_provider block of type pbkdf2 and supply the passphrase via an environment variable reference using key_provider "pbkdf2" "main" { passphrase = var.state_passphrase }
Define a method block of type aes_gcm referencing the key provider, then set state { method = encryption_method.aes_gcm.main } to apply encryption to all state reads and writes
Store the passphrase in the CI secret store and inject it as TF_VAR_state_passphrase at plan and apply time; never hardcode it in the configuration
For key rotation, add a fallback block inside the state encryption config pointing to the old key provider; OpenTofu will decrypt with the fallback and re-encrypt with the primary on the next apply
Verify that the raw S3 object is not readable as plain JSON by downloading the state file directly from S3 and confirming it contains encrypted bytes rather than resource attributes
Known gotchas
OpenTofu's state encryption is not compatible with standard Terraform; if you share state between OpenTofu and Terraform CLI, encryption must be disabled or a migration plan must be executed first
The pbkdf2 key derivation uses a randomly generated salt stored alongside the encrypted state; losing the passphrase and the salt makes the state permanently unrecoverable with no AWS-side key management fallback
Encryption applies to plan files as well as state files; a plan file produced with encryption cannot be applied by a binary that does not have the matching passphrase configured
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp