github.com/wikibal01/hashicorp-terraform@v0.11.12-beta1/website/docs/state/sensitive-data.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "State: Sensitive Data" 4 sidebar_current: "docs-state-sensitive-data" 5 description: |- 6 Sensitive data in Terraform state. 7 --- 8 9 # Sensitive Data in State 10 11 Terraform state can contain sensitive data depending on the resources in-use 12 and your definition of "sensitive." The state contains resource IDs and all 13 resource attributes. For resources such as databases, this may contain initial 14 passwords. 15 16 Some resources (such as RDS databases) have options for PGP encrypting the 17 values within the state. This is implemented on a per-resource basis and 18 you should assume the value is plaintext unless otherwise documented. 19 20 When using local state, state is stored in plain-text JSON files. When 21 using [remote state](/docs/state/remote.html), state is only ever held in memory when used by Terraform. 22 It may be encrypted at rest but this depends on the specific remote state 23 backend. 24 25 It is important to keep this in mind if you do (or plan to) store sensitive 26 data (e.g. database passwords, user passwords, private keys) as it may affect 27 the risk of exposure of such sensitive data. 28 29 ## Recommendations 30 31 Storing state remotely may provide you encryption at rest depending on the 32 backend you choose. As of Terraform 0.9, Terraform will only hold the state 33 value in memory when remote state is in use. It is never explicitly persisted 34 to disk. 35 36 For example, encryption at rest can be enabled with the S3 backend and IAM 37 policies and logging can be used to identify any invalid access. Requests for 38 the state go over a TLS connection. 39 40 [Terraform Enterprise](https://www.hashicorp.com/products/terraform/) is 41 a commercial product from HashiCorp that also acts as a [backend](/docs/backends) 42 and provides encryption at rest for state. Terraform Enterprise also knows 43 the identity of the user requesting state and maintains a history of state 44 changes. This can be used to provide access control and detect any breaches. 45 46 ## Future Work 47 48 Long term, the Terraform project wants to further improve the ability to 49 secure sensitive data. There are plans to provide a 50 generic mechanism for specific state attributes to be encrypted or even 51 completely omitted from the state. These do not exist yet except on a 52 resource-by-resource basis if documented.