Store sensitive data in local state file

There is a use case in which sensitive data like password needs to be saved in a state file.
We are using plugin framework version 1.1.1 for the terraform provider development.
The recommendation from Hashicorp is to use a remote backend for storing the state (State: Sensitive Data | Terraform | HashiCorp Developer).
Is there any way the Plugin framework/Terraform provides to store sensitive data in local state files ? Thanks.

Hi @akashgs :wave:

Correct me if I’m wrong, but are you asking about whether it’s possible to have an encrypted state file when storing state locally? Whilst it is possible to do this, it is not recommended for the reasons described in Don’t Encrypt State. As mentioned in the docs you linked to, the suggested approach is to use a remote backend that will perform encryption at rest.

And what is that use case?

Hi @bendbennett I am asking if it’s possible to encrypt sensitive attributes while saving state locally. Does private state (Plugin Development - Framework: Private State Management | Terraform | HashiCorp Developer) help in this case?

@akashgs there was a recent issue opened on the local provider which asked a similar question but concerning redaction of a sensitive attribute in the state file.

The problems associated with encrypting sensitive attributes in a state file are analogous to those outlined in Don’t Encrypt State . If you need to encrypt some/all of the state file then the recommendation is to use a remote backend that supports encryption.

Using private state would obfuscate the data, in that it is base64 encoded in the state file, but it does not encrypt the data.

Like @maxb, I’m also interested to hear more about your use case.

Hi @bendbennett The attribute I am talking about is part of the resource schema, not the provider schema. To detect the configuration drift, it has to be part of the local state.