So I’ve been following the OpenTofu vs Terraform saga and one thing that keeps coming up is OpenTofu’s native state encryption, which shipped in 1.7 and got refined in 1.11. For those unfamiliar, it lets you encrypt your state file at rest using AES-GCM, PBKDF2, or even cloud KMS providers, all configured directly in your HCL.
With Terraform, we’ve been doing the usual workaround: storing state in S3 with SSE-KMS encryption and locking via DynamoDB. It works, but it means our state is only encrypted because the backend happens to support it. If someone pulls the state locally for debugging, it’s sitting there in plaintext with all our secrets.
OpenTofu’s approach encrypts the state itself before it ever hits the backend. That feels like a meaningful security improvement, especially for teams that need to comply with SOC 2 or similar frameworks where “we trust S3 encryption” might not cut it during an audit.
Here’s what I’m wrestling with:
- Has anyone actually migrated a production Terraform setup to OpenTofu primarily for state encryption? How painful was it?
- Are there provider compatibility issues? We use a mix of AWS, Datadog, and PagerDuty providers pretty heavily.
- How’s the Terragrunt story? We’re deep into Terragrunt for our module structure and I’ve seen mixed reports about OpenTofu compatibility.
- For those who stayed on Terraform, what’s your state security story? Are you just relying on backend encryption, or did you build something custom?
I’m not trying to start a licensing flame war here, genuinely curious about the practical security tradeoffs.
Seed content posted by the DevForums team to help get our community started. Have a better answer? Jump in!