• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Terraform
  • Install
  • Tutorials
    • About the Docs
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • CDK for Terraform
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
  • Registry(opens in new tab)
  • Try Cloud(opens in new tab)
  • Sign up
Terraform Home

Terraform Enterprise

Skip to main content
  • Terraform Enterprise

  • Overview
  • Operational Modes
  • Migrating to Terraform Enterprise
    • Overview
    • Architecture Summary
    • Reliability & Availability
    • Capacity & Performance
    • Security Model
    • Data Security
  • Support

  • Terraform Cloud Agents

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  • Terraform Registry
    (opens in new tab)
  1. Developer
  2. Terraform
  3. Terraform Enterprise
  4. System Architecture
  5. Data Security
  • Terraform Enterprise
  • v202212-2
  • v202212-1
  • v202211-1
  • v202210-1
  • v202209-2
  • v202209-1
  • v202208-3
  • v202208-2
  • v202208-1
  • v202207-2
  • v202207-1
  • v202206-1

»Data Security

Terraform Cloud takes the security of the data it manages seriously. This table lists which parts of the Terraform Cloud and Terraform Enterprise app can contain sensitive data, what storage is used, and what encryption is used.

Terraform Cloud and Enterprise

ObjectStorageEncrypted
Ingressed VCS DataBlob StorageVault Transit Encryption
Terraform Plan ResultBlob StorageVault Transit Encryption
Terraform StateBlob StorageVault Transit Encryption
Terraform LogsBlob StorageVault Transit Encryption
Terraform/Environment VariablesPostgreSQLVault Transit Encryption
Organization/Workspace/Team SettingsPostgreSQLNo
Account PasswordPostgreSQLbcrypt
2FA Recovery CodesPostgreSQLVault Transit Encryption
SSH KeysPostgreSQLVault Transit Encryption
User/Team/Organization TokensPostgreSQLHMAC SHA512
OAuth Client ID + SecretPostgreSQLVault Transit Encryption
OAuth User TokensPostgreSQLVault Transit Encryption

Terraform Enterprise Specific

ObjectStorageEncrypted
Twilio Account ConfigurationPostgreSQLVault Transit Encryption
SMTP ConfigurationPostgreSQLVault Transit Encryption
SAML ConfigurationPostgreSQLVault Transit Encryption
Vault Unseal KeyPostgreSQLChaCha20+Poly1305

Vault Transit Encryption

The Vault Transit Secret Engine handles encryption for data in-transit and is used when encrypting data from the application to persistent storage.

Blob Storage Encryption

All objects persisted to blob storage are symmetrically encrypted prior to being written. Each object is encrypted with a unique encryption key. Objects are encrypted using 128 bit AES in CTR mode. The key material is processed through the Vault transit secret engine, which uses the default transit encryption cipher (AES-GCM with a 256-bit AES key and a 96-bit nonce), and stored alongside the object. This pattern is called envelope encryption.

The Vault transit secret engine's datakey generation creates the encryption key material using bit material from the kernel's cryptographically secure pseudo-random number generator (CSPRNG) as the context value. Blob storage encryption generates a unique key for each object and relies on envelope encryption, so Vault does not rotate the encryption key material for individual objects. The root encryption keys within the envelope encryption scheme are rotated automatically by Terraform Cloud every 365 days. These keys are not automatically rotated within TFE.

Edit this page on GitHub

On this page

  1. Data Security
  2. Vault Transit Encryption
  3. Blob Storage Encryption
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)