Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Security in Yandex Cloud
  • Key security principles
  • Division of responsibility
  • Compliance
  • Security measures on the Yandex Cloud side
  • Security tools available to cloud service users
    • All tutorials
      • Which encryption method should I choose?
      • Encrypting data using the Yandex Cloud CLI and API
      • Encrypting data using the Yandex Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
      • Managing Key Management Service keys with Terraform
      • Encrypting secrets in Terraform
      • Auto Unseal in Hashicorp Vault
      • Secure password transmission to an initialization script
      • Secure storage of GitLab CI passwords as Yandex Lockbox secrets
      • Getting Yandex Lockbox secret value on the GitHub side
      • Getting Yandex Lockbox secret value on the GitLab side
  • User support policy during vulnerability scanning
  • Security bulletins
  • Public IP address ranges

In this article:

  • Recommendations for safely storing secret data
  • See also
  1. Tutorials
  2. Data encryption and key management
  3. Encrypting secrets in Terraform

Encrypting secrets in Hashicorp Terraform

Written by
Yandex Cloud
Updated at March 31, 2025
  • Recommendations for safely storing secret data
  • See also

To encrypt data:

  1. In the configuration file, describe the parameters of the yandex_kms_secret_ciphertext resource and specify the KMS key in the key_id field:

    resource "yandex_kms_secret_ciphertext" "password" {
      key_id      = "<key_ID>"
      aad_context = "additional authenticated data"
      plaintext   = "strong password"
    }
    

    Where:

    • key_id: KMS key ID.
    • aad_context: (AAD context).
    • plaintext: String to be encrypted.

    Warning

    yandex_kms_secret_ciphertext enables you to hide secrets when deploying an infrastructure. However, in general, it is not safe to openly specify the plaintext and aad_context in the configuration file. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.

    For more information about resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    The ciphertext can then be accessed via the ciphertext variable, and the encrypted data via the plaintext variable.

    To check, you can add the following code with the decrypted_pass output variable to the configuration file.

    Alert

    This is not safe and can only be used for testing.

    output "decrypted_pass" {
      sensitive = true
      value     = yandex_kms_secret_ciphertext.password.plaintext
    }
    

    After updating the configuration, you can check the encrypted data using the command:

    terraform output decrypted_pass
    

    Result:

    "strong password"
    

Recommendations for safely storing secret dataRecommendations for safely storing secret data

  • Do not explicitly specify the secret values in the configuration file. Read them from a storage with restricted access (e.g., a secret storage).
  • Consider storing the Terraform state remotely.

See alsoSee also

  • Getting started with Terraform in Yandex Cloud.
  • Yandex Cloud provider documentation.
  • Sensitive Data in State.
  • Encrypting data using the Yandex Cloud CLI and API.
  • Auto Unseal in Hashicorp Vault

Was the article helpful?

Previous
Managing Key Management Service keys with Terraform
Next
Auto Unseal in Hashicorp Vault
© 2025 Direct Cursus Technology L.L.C.