mirror of
https://github.com/opentffoundation/opentf.git
synced 2026-05-17 01:03:30 -04:00
beb4d94d57
This is the result of running the "go fix" modernizers on the subset of files under this prefix that were already changed during the v1.12 development period. Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
PBKDF passphrase key provider
Warning
This file is not an end-user documentation, it is intended for developers. Please follow the user documentation on the OpenTofu website unless you want to work on the encryption code.
This folder contains the code for the PBKDF2 passphrase key provider. The user can enter a passphrase and the key provider will generate []byte keys of a given length and will record the salt in the encryption metadata.
Configuration
You can configure this key provider by specifying the following options:
terraform {
encryption {
key_provider "pbkdf2" "myprovider" {
passphrase = "enter a long and complex passphrase here"
# Alternatively, chain the passphrase from an upstream key provider:
chain = key_provider.other.provider
# Adapt the key length to your encryption method needs,
# check the method documentation for the right key length
key_length = 32
# Provide the number of iterations that should be performed.
# See https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
# for recommendations
iterations = 600000
# Pick the hashing function. Can be sha256 or sha512.
hash_function = "sha512"
# Pick the salt length in bytes.
salt_length = 32
}
}
}