mirror of https://github.com/opentofu/opentofu.git synced 2026-02-03 20:40:39 -05:00

History

Andrei Ciobanu 66983273e5 Some checks are pending build / Build for freebsd_386 (push) Waiting to run Details build / Build for linux_386 (push) Waiting to run Details build / Build for openbsd_386 (push) Waiting to run Details build / Build for windows_386 (push) Waiting to run Details build / Build for freebsd_amd64 (push) Waiting to run Details build / Build for linux_amd64 (push) Waiting to run Details build / Build for openbsd_amd64 (push) Waiting to run Details build / Build for solaris_amd64 (push) Waiting to run Details build / Build for windows_amd64 (push) Waiting to run Details build / Build for freebsd_arm (push) Waiting to run Details build / Build for linux_arm (push) Waiting to run Details build / Build for linux_arm64 (push) Waiting to run Details build / Build for darwin_amd64 (push) Waiting to run Details build / Build for darwin_arm64 (push) Waiting to run Details build / End-to-end Tests for linux_386 (push) Waiting to run Details build / End-to-end Tests for windows_386 (push) Waiting to run Details build / End-to-end Tests for darwin_amd64 (push) Waiting to run Details build / End-to-end Tests for linux_amd64 (push) Waiting to run Details build / End-to-end Tests for windows_amd64 (push) Waiting to run Details Quick Checks / List files changed for pull request (push) Waiting to run Details Quick Checks / Unit tests for linux_386 (push) Blocked by required conditions Details Quick Checks / Unit tests for linux_amd64 (push) Blocked by required conditions Details Quick Checks / Unit tests for windows_amd64 (push) Blocked by required conditions Details Quick Checks / Unit tests for linux_arm (push) Blocked by required conditions Details Quick Checks / Unit tests for darwin_arm64 (push) Blocked by required conditions Details Quick Checks / Unit tests for linux_arm64 (push) Blocked by required conditions Details Quick Checks / Race Tests (push) Blocked by required conditions Details Quick Checks / End-to-end Tests (push) Blocked by required conditions Details Quick Checks / Code Consistency Checks (push) Blocked by required conditions Details Quick Checks / License Checks (push) Waiting to run Details Website checks / List files changed for pull request (push) Waiting to run Details Website checks / Build (push) Blocked by required conditions Details Website checks / Test Installation Instructions (push) Blocked by required conditions Details Key provider decoding moved from gohcl to hcl/v2 (#3654 ) Signed-off-by: Christian Mesh <christianmesh1@gmail.com> Signed-off-by: Andrei Ciobanu <andrei.ciobanu@opentofu.org> Co-authored-by: Christian Mesh <christianmesh1@gmail.com>		2026-01-15 17:51:16 +02:00
..
aesgcm	Key provider decoding moved from gohcl to hcl/v2 (#3654 )	2026-01-15 17:51:16 +02:00
compliancetest	Key provider decoding moved from gohcl to hcl/v2 (#3654 )	2026-01-15 17:51:16 +02:00
external	Key provider decoding moved from gohcl to hcl/v2 (#3654 )	2026-01-15 17:51:16 +02:00
unencrypted	Key provider decoding moved from gohcl to hcl/v2 (#3654 )	2026-01-15 17:51:16 +02:00
addr.go	[State Encryption] Compliance tests (#1377 )	2024-03-14 15:53:40 +01:00
config.go	Documentation updates for 1.7.0-alpha1 (state encryption) (#1396 )	2024-03-14 15:05:05 +01:00
descriptor.go	Key provider decoding moved from gohcl to hcl/v2 (#3654 )	2026-01-15 17:51:16 +02:00
errors.go	Fixes #2337 : External encryption method (#2367 )	2025-01-31 12:13:18 -05:00
id.go	[State Encryption] Compliance tests (#1377 )	2024-03-14 15:53:40 +01:00
method.go	Documentation updates for 1.7.0-alpha1 (state encryption) (#1396 )	2024-03-14 15:05:05 +01:00
README.md	[State Encryption] Compliance tests (#1377 )	2024-03-14 15:53:40 +01:00

README.md

Encryption methods

Warning

This file is not an end-user documentation, it is intended for developers. Please follow the user documentation on the OpenTofu website unless you want to work on the encryption code.

This folder contains the implementations for the encryption methods used in OpenTofu. Encryption methods determine how exactly data is encrypted, but they do not determine what exactly is encrypted.

Implementing a method

When you implement a method, take a look at the aesgcm method as a template.

Testing your method (do this first!)

Before you even go about writing a method, please set up the compliance tests. You can create a single test case that calls compliancetest.ComplianceTest. This test suite will run your key provider through all important compliance tests and will make sure that you are not missing anything during the implementation.

Implementing the descriptor

The descriptor is very simple, you need to implement the Descriptor interface in a type. (It does not have to be a struct.) However, make sure that the ConfigStruct always returns a struct with hcl tags on it. For more information on the hcl tags, see the gohcl documentation.

The config struct

Next, you need to create a config structure. This structure should hold all the fields you expect a user to fill out. This must be a struct, and you must add hcl tags to each field you expect the user to fill out.

If the config structure needs input from key providers, it should declare one HCL-tagged field with the type of keyprovider.Output to receive the encryption and decryption key. Note, that the decryption key is not always available.

Additionally, you must implement the Build function described in the Config interface. You can take a look at aesgcm/config.go for an example on implementing this.

The method

The heart of your method is... well, your method. It has the Encrypt() and Decrypt() methods, which should perform the named tasks. If no decryption key is available, the method should refuse to decrypt data. The method should under no circumstances pass through unencrypted data if it fails to decrypt the data.