github.com/rstandt/terraform@v0.12.32-0.20230710220336-b1063613405c/website/docs/state/sensitive-data.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "State: Sensitive Data" 4 sidebar_current: "docs-state-sensitive-data" 5 description: |- 6 Sensitive data in Terraform state. 7 --- 8 9 # Sensitive Data in State 10 11 Terraform state can contain sensitive data, depending on the resources in use 12 and your definition of "sensitive." The state contains resource IDs and all 13 resource attributes. For resources such as databases, this may contain initial 14 passwords. 15 16 When using local state, state is stored in plain-text JSON files. 17 18 When using [remote state](/docs/state/remote.html), state is only ever held in 19 memory when used by Terraform. It may be encrypted at rest, but this depends on 20 the specific remote state backend. 21 22 ## Recommendations 23 24 If you manage any sensitive data with Terraform (like database passwords, user 25 passwords, or private keys), treat the state itself as sensitive data. 26 27 Storing state remotely can provide better security. As of Terraform 0.9, 28 Terraform does not persist state to the local disk when remote state is in use, 29 and some backends can be configured to encrypt the state data at rest. 30 31 For example: 32 33 - [Terraform Cloud](/docs/cloud/index.html) always encrypts state at rest and 34 protects it with TLS in transit. Terraform Cloud also knows the identity of 35 the user requesting state and maintains a history of state changes. This can 36 be used to control access and track activity. [Terraform Enterprise](/docs/enterprise/index.html) 37 also supports detailed audit logging. 38 - The S3 backend supports encryption at rest when the `encrypt` option is 39 enabled. IAM policies and logging can be used to identify any invalid access. 40 Requests for the state go over a TLS connection.