Data Security
HCP Terraform takes the security of the data it manages seriously. This table lists which parts of the HCP Terraform and Terraform Enterprise app can contain sensitive data, what storage is used, and what encryption is used.
HCP Terraform and Terraform Enterprise
| Object | Storage | Encrypted |
|---|---|---|
| Terraform Configuration (VCS data) | Blob Storage | Vault Transit Encryption |
| Private Registry Modules | Blob Storage | Vault Transit Encryption |
| Sentinel Policies | PostgreSQL | Vault Transit Encryption |
| Terraform/Environment Variables | PostgreSQL | Vault Transit Encryption |
| Terraform/Provider Credentials | PostgreSQL | Vault Transit Encryption |
| Terraform State File | Blob Storage | Vault Transit Encryption |
| Terraform Plan Result | Blob Storage | Vault Transit Encryption |
| Terraform Audit Trails | PostgreSQL | No |
| Organization/Workspace/Team Settings | PostgreSQL | No |
HCP Terraform and Terraform Enterprise Secrets
| Object | Storage | Encrypted |
|---|---|---|
| Account Password | PostgreSQL | bcrypt |
| 2FA Recovery Codes | PostgreSQL | Vault Transit Encryption |
| SSH Keys | PostgreSQL | Vault Transit Encryption |
| User/Team/Organization Tokens | PostgreSQL | HMAC SHA512 |
| OAuth Client ID + Secret | PostgreSQL | Vault Transit Encryption |
| OAuth User Tokens | PostgreSQL | Vault Transit Encryption |
HCP Terraform Specific
| Object | Storage | Encrypted |
|---|---|---|
| Cloud Data Backups | Amazon S3 | SSE-S3 |
| Cloud Copy of Backups for DR | Amazon S3 | SSE-S3 |
Please see HashiCorp Cloud subprocessors for third-parties engaged by HashiCorp to deliver cloud services.
Terraform Enterprise Specific
| Object | Storage | Encrypted |
|---|---|---|
| Twilio Account Configuration | PostgreSQL | Vault Transit Encryption |
| SMTP Configuration | PostgreSQL | Vault Transit Encryption |
| SAML Configuration | PostgreSQL | Vault Transit Encryption |
| Vault Unseal Key | PostgreSQL | ChaCha20+Poly1305 |
Vault Transit Encryption
The Vault Transit Secret Engine handles encryption for data in-transit and is used when encrypting data from the application to persistent storage.
Blob Storage Encryption
All objects persisted to blob storage are symmetrically encrypted prior to being written. Each object is encrypted with a unique encryption key. Objects are encrypted using 128 bit AES in CTR mode. The key material is processed through the Vault transit secret engine, which uses the default transit encryption cipher (AES-GCM with a 256-bit AES key and a 96-bit nonce), and stored alongside the object. This pattern is called envelope encryption.
The Vault transit secret engine's
datakey generation creates the encryption key material using bit material from the kernel's cryptographically secure pseudo-random
number generator (CSPRNG) as the context value. Blob storage encryption generates a unique key for each object and relies on envelope encryption, so Vault does not rotate the encryption key material for individual objects. The root encryption keys within the envelope encryption scheme are rotated automatically by HCP Terraform every 365 days. These keys are not automatically rotated within TFE.