Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Tutorials
    • All tutorials
    • Differentiation of access permissions for user groups
    • Inviting a new user and assigning roles
    • Creating an L7 load balancer with a Smart Web Security profile through an Application Load Balancer ingress controller
    • Creating a distributed infrastructure with secure access
    • Centralized online publication and DDoS protection of applications
    • Basic SWS setup
    • Emergency L7 DDoS protection in Application Load Balancer
    • Delivering logs from a VM instance to Cloud Logging
    • Writing load balancer logs to PostgreSQL
    • Secure storage of GitLab CI passwords as Yandex Lockbox secrets
    • Service account with an OS Login profile for VM management via Ansible
    • Transferring logs from Container Optimized Image to Cloud Logging
    • Adding an HTML page for SmartCaptcha
    • Configuring alerts and dashboards in Monitoring
    • Uploading audit logs to Splunk SIEM
    • Uploading audit logs to ArcSight SIEM
    • Server-side encryption for an Object Storage bucket
    • Encrypting secrets in Hashicorp Terraform
    • Managing KMS keys with Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault
    • Transferring a Yandex MPP Analytics for PostgreSQL cluster's logs to Yandex Cloud Logging
    • Obtaining the information you need to request the Russian Ministry of Digital Development to whitelist a resource
    • Uploading objects into an Object Storage bucket using an ephemeral access key

In this article:

  • Recommendations for safely storing secret data
  • Useful links
  1. Security
  2. Encrypting secrets in Hashicorp Terraform

Encrypting secrets in Hashicorp Terraform

Written by
Yandex Cloud
Updated at July 8, 2026
View in Markdown
  • Recommendations for safely storing secret data
  • Useful links

To encrypt data:

  1. In the configuration file, describe the parameters of the yandex_kms_secret_ciphertext resource and specify the KMS key in the key_id field:

    resource "yandex_kms_secret_ciphertext" "password" {
      key_id      = "<key_ID>"
      aad_context = "additional authenticated data"
      plaintext   = "strong password"
    }
    

    Where:

    • key_id: KMS key ID.
    • aad_context: AAD context.
    • plaintext: String to encrypt.

    Warning

    With yandex_kms_secret_ciphertext, you can hide secrets when deploying an infrastructure, but generally speaking it is unsafe to specify plaintext and aad_context in the configuration file in plain text. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.

    For more information about resource properties in Terraform, see this provider guide.

  2. Validate your configuration using this command:

    terraform validate
    

    If the configuration is valid, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

  4. Apply the configuration changes:

    terraform apply
    
  5. Type yes and press Enter to confirm the changes.

    After this, you can access the ciphertext through the ciphertext variable, and the encrypted data, through plaintext.

    For verification, you can add the following code with the decrypted_pass output variable to the configuration file.

    Alert

    This is not safe and can only be used for testing.

    output "decrypted_pass" {
      sensitive = true
      value     = yandex_kms_secret_ciphertext.password.plaintext
    }
    

    After updating the configuration, you can check the encrypted data using the command:

    terraform output decrypted_pass
    

    Result:

    "strong password"
    

Recommendations for safely storing secret dataRecommendations for safely storing secret data

  • Do not explicitly specify the secret values in the configuration file. Read them from a storage with restricted access (e.g., a secret storage).
  • Consider storing the Terraform state remotely.

Useful linksUseful links

  • Getting started with Terraform in Yandex Cloud.
  • Yandex Cloud provider documentation.
  • Sensitive Data in State.
  • Encrypting data using the Yandex Cloud CLI and API.
  • Auto Unseal in Hashicorp Vault

Was the article helpful?

Previous
Server-side encryption for an Object Storage bucket
Next
Managing KMS keys with Hashicorp Terraform
© 2026 Direct Cursus Technology L.L.C.