Terraform state file on premise, secret protection

Whilst Vault can be use to serve secrets to Terraform for IaC, I understand that the Terraform state file still hold secrets as text. In a Cloud environment e.g. AWS, there is a recommendation to hold the state file encrypted at rest on S3 storage. However, I haven’t been able to find guidance on how to manage the state file securely when running Vault and Terraform in an entirely on premise environment i.e. no Cloud filesystem available… other than maybe store secrets as envars. My concern would be exposing secrets using the Terraform vSphere Provider. Are there recommendations for on premise encryption at rest, access controls, short-leased accounts to mitigate risk? When I have discussed this with potential adopters, I don’t have a good story to tell…I like the product - just need assurance that it can be implemented securely?