Skip to main content

Sensitive Data in State

OpenTofu state can contain sensitive data, depending on the resources in use and your definition of "sensitive." The state contains resource IDs and all resource attributes. For resources such as databases, this may contain initial passwords.

When using local state, state is stored in plain-text JSON files.

When using remote state, state is only ever held in memory when used by OpenTofu. It may be encrypted at rest, but this depends on the specific remote state backend.

Recommendations

If you manage any sensitive data with OpenTofu (like database passwords, user passwords, or private keys), treat the state itself as sensitive data.

Storing state remotely can provide better security. OpenTofu does not persist state to the local disk when remote state is in use, and some backends can be configured to encrypt the state data at rest.

For example:

  • The S3 backend supports encryption at rest when the encrypt option is enabled. IAM policies and logging can be used to identify any invalid access. Requests for the state go over a TLS connection.