Hold your own key lets you authenticate a key management system with HCP Terraform to encrypt HCP Terraform state and plan data with a key that you provide and control.
Note
Hold your own key is available on the HCP Terraform Premium edition. Refer to HCP Terraform pricing for details.
Terraform artifacts can contain sensitive information, such as resource IDs, IP addresses, credentials, and other configuration details that Terraform uses to manage infrastructure. HCP Terraform uses a HashiCorp-managed key to encrypt sensitive data such as state and plan files before storage.
For most users, the default level of security that HCP Terraform provides is sufficient. However, the side effect of default encryption is that HCP Terraform maintains access to your Terraform artifacts. You cannot monitor or revoke HCP Terraform's access to your artifacts, which might be insufficient for your compliance requirements.
Hold your own key (HYOK) gives you control over your sensitive data by letting you provide your own encryption key to safeguard that data. Hold your own key lets you configure HCP Terraform artifact encryption using a key from a key management system (KMS) that you control. Use hold your own key to retain control of the keys HCP Terraform uses to encrypt data in state and plan files, enhance your security, and meet your compliance requirements.
When you enable hold your own key, the HCP Terraform agent secures certain Terraform artifacts using your key before uploading those artifacts to HCP Terraform storage. To accomplish this, the HCP Terraform agent authenticates with your key management service, then encrypts the necessary artifacts. You can run the HCP Terraform agent on your own infrastructure, meaning that neither your key nor unencrypted secrets are ever uploaded to HCP Terraform, and no out-of-network traffic needs to connect to your key management service.
The artifacts that HCP Terraform agents encrypt with hold your own key are:
Hold your own key supports the following key management services:
To learn how to configure hold your own key for your organization, refer to Configure and manage keys.
Hold your own key also produces sanitized versions of artifacts which redact secrets from the artifacts it encrypts. Sanitized state and plan files let HCP Terraform continue running policy checks, run tasks, cost estimation, and assessments without accessing sensitive data.
Refer to How hold your own key concepts to learn more about the details of how HYOK encryption and decryption works.
To create a key configuration for hold your own key, you must perform the following steps:
Begin by configuring your KMS to accept OIDC requests from HCP Terraform. Then, set up your key and grant the necessary roles and permissions in your KMS. Specific configuration instructions differ between cloud providers.
Configure the key in HCP TerraformAfter configuring your KMS with the trust relationship and creating a key, you can create an HYOK configuration for your HCP Terraform organization.
An HYOK configuration in HCP Terraform configures the following:
After configuring a key, HCP Terraform will automatically test the connection to your KMS to ensure it can use the key to secure your data.
Enable HYOK on your workspacesNote
If you enable hold your own key encryption for a workspace, you cannot disable that encryption.
After setting up a key configuration in HCP Terraform, you can enable hold your own key encryption on your workspaces.
Choose one configuration to act as your primary configuration. HCP Terraform automatically uses the primary HYOK configuration to encrypt all sensitive Terraform artifacts for that workspace.
Refer to How hold your own key concepts to learn more about the details of encryption and decryption.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4