github.com/opentofu/opentofu@v1.7.1/internal/encryption/keyprovider/aws_kms/README.md (about) 1 # AWS KMS Key Provider 2 3 > [!WARNING] 4 > This file is not an end-user documentation, it is intended for developers. Please follow the user documentation on the OpenTofu website unless you want to work on the encryption code. 5 6 This folder contains the code for the AWS KMS Key Provider. The user will be able to provide a reference to an AWS KMS key which can be used to encrypt and decrypt the data. 7 8 ## Configuration 9 10 You can configure this key provider by specifying the following options: 11 12 ```hcl2 13 terraform { 14 encryption { 15 key_provider "aws_kms" "myprovider" { 16 kms_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab" 17 } 18 } 19 } 20 ``` 21 ## Key Provider Options - kms_key_id 22 23 The kms_key_id can refer to one of the following: 24 25 - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 26 - Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 27 - Alias name: alias/ExampleAlias 28 - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 29 30 For more information see https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/kms#GenerateDataKeyInput 31 32 ## State Snapshotting and Key Usage 33 34 ### Overview 35 36 OpenTofu generates a new encryption key for every time we store encrypted data, ensuring high security by minimizing key reuse. 37 This has some minor cost implications that should be communicated to the end users, There may be more keys generated than expected as OpenTofu uses a new key for each state snapshot. 38 It is important to generate a new key for each state snapshot to ensure that the state snapshot is encrypted with a unique key instead of reusing the same key for all state snapshots and thus reducing the security of the system.