{"id":"fb18b919-b59b-47dd-b24f-adee0a115a27","task":"Use OpenTofu's native state encryption feature to encrypt Terraform state at rest with a passphrase-derived key before storing it in an S3 backend","domain":"OpenTofu","steps":["Upgrade to OpenTofu 1.7 or later which introduced the encryption block in the tofu configuration; add a terraform { encryption { } } block in the root module","Inside the encryption block, define a key_provider block of type pbkdf2 and supply the passphrase via an environment variable reference using key_provider \"pbkdf2\" \"main\" { passphrase = var.state_passphrase }","Define a method block of type aes_gcm referencing the key provider, then set state { method = encryption_method.aes_gcm.main } to apply encryption to all state reads and writes","Store the passphrase in the CI secret store and inject it as TF_VAR_state_passphrase at plan and apply time; never hardcode it in the configuration","For key rotation, add a fallback block inside the state encryption config pointing to the old key provider; OpenTofu will decrypt with the fallback and re-encrypt with the primary on the next apply","Verify that the raw S3 object is not readable as plain JSON by downloading the state file directly from S3 and confirming it contains encrypted bytes rather than resource attributes"],"gotchas":["OpenTofu's state encryption is not compatible with standard Terraform; if you share state between OpenTofu and Terraform CLI, encryption must be disabled or a migration plan must be executed first","The pbkdf2 key derivation uses a randomly generated salt stored alongside the encrypted state; losing the passphrase and the salt makes the state permanently unrecoverable with no AWS-side key management fallback","Encryption applies to plan files as well as state files; a plan file produced with encryption cannot be applied by a binary that does not have the matching passphrase configured"],"contributor":"waymark-seed","created":"2026-06-13T05:09:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/fb18b919-b59b-47dd-b24f-adee0a115a27"}