mirror of
https://github.com/opentffoundation/opentf.git
synced 2026-02-15 13:00:32 -05:00
a15a6c9657
Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com> Signed-off-by: Damian Stasik <920747+damianstasik@users.noreply.github.com> Signed-off-by: Roman Grinovski <roman.grinovski@gmail.com> Co-authored-by: Damian Stasik <920747+damianstasik@users.noreply.github.com> Co-authored-by: Roman Grinovski <roman.grinovski@gmail.com>
32 lines
1.2 KiB
Plaintext
32 lines
1.2 KiB
Plaintext
---
|
|
description: Sensitive data in OpenTofu state.
|
|
---
|
|
|
|
# Sensitive Data in State
|
|
|
|
OpenTofu state can contain sensitive data, depending on the resources in use
|
|
and your definition of "sensitive." The state contains resource IDs and all
|
|
resource attributes. For resources such as databases, this may contain initial
|
|
passwords.
|
|
|
|
When using local state, state is stored in plain-text JSON files.
|
|
|
|
When using [remote state](../../language/state/remote.mdx), state is only ever held in
|
|
memory when used by OpenTofu. It may be encrypted at rest, but this depends on
|
|
the specific remote state backend.
|
|
|
|
## Recommendations
|
|
|
|
If you manage any sensitive data with OpenTofu (like database passwords, user
|
|
passwords, or private keys), treat the state itself as sensitive data.
|
|
|
|
Storing state remotely can provide better security.
|
|
OpenTofu does not persist state to the local disk when remote state is in use,
|
|
and some backends can be configured to encrypt the state data at rest.
|
|
|
|
For example:
|
|
|
|
- The S3 backend supports encryption at rest when the `encrypt` option is
|
|
enabled. IAM policies and logging can be used to identify any invalid access.
|
|
Requests for the state go over a TLS connection.
|