HCP Terraform introduces Hold Your Own Key (HYOK)

We are excited to announce the general availability of Hold Your Own Key (HYOK), a new feature that gives enterprises enhanced control over sensitive data stored in HCP Terraform. HYOK helps organizations secure secrets in Terraform artifacts such as state files and plan files, and ensures that sensitive data is encrypted with encryption keys managed by the customer. This new capability offers organizations a greater sense of security and ownership over their data, helping to meet compliance needs as they transition infrastructure to the cloud.

»Secrets access in Terraform

As customers migrate infrastructure to the cloud, there is a growing demand for increased control over secrets access. Secrets are sensitive, discrete pieces of information such as credentials, encryption keys, authentication certificates, and other critical pieces of information your applications need to run consistently and securely. While Terraform already provides a strong foundation by standardizing infrastructure security best practices, we stay committed to continuously improving our security features to help our customers meet the increasing demands of hybrid-cloud environments.

In Terraform, an artifact refers to a file generated as part of the infrastructure provisioning process. Two of the most common are state files and plan files, which are both used to store crucial information about your managed infrastructure. These files help Terraform map real-world resources to your configuration, keep track of metadata, and improve performance for large infrastructure estates.

However, since Terraform artifacts can also contain sensitive information such as secrets in plaintext format, they can introduce both internal and external risks, causing apprehension among security teams. While Terraform artifacts are encrypted by default, customers sought additional control over this encryption, particularly those with stringent compliance needs. These concerns called for a new approach to handling these sensitive artifacts to help customers ensure they are secure before they are uploaded to HCP Terraform.

»Introducing Hold Your Own Key (HYOK)

Hold Your Own Key (HYOK) is a security principle that gives organizations ownership of the encryption keys used to access their sensitive data. With HYOK, organizations can take ownership over secret access by securing and encrypting Terraform artifacts before they are uploaded to HCP Terraform.

To achieve this, the HYOK solution involves three main components:

• HCP Terraform, which acts as the control plane on the public internet
• A Key Management Service (KMS), which houses the encryption key in the private network. Supported KMS providers include Vault Enterprise, AWS KMS, Azure Key Vault, and Google Cloud KMS
• The HCP Terraform agent pool, which ensures exclusive execution of operations within the private network

Once a customer configures HYOK at the organizational level, every Terraform operation within that organization will require the encryption process. For example, if a customer uses Vault as their KMS, this process would:

• Obtain temporary access to the encryption key through a workload identity token
• Exchange the token for short-lived Vault credentials
• Use temporary Vault credentials to secure Terraform artifacts with a key stored in Vault, using the Vault Transit Secrets engine

The HYOK process will produce two files:

• A standard state or plan file that is encrypted using the acquired encryption key
• A sanitized state or plan file with the sensitive values redacted and the metadata stored within HCP Terraform

This new control over state encryption means users can retain complete visibility of the the state or plan file without any plain text secrets that could potentially introduce risk.

»Getting started

Hold Your Own Key (HYOK) is now available in HCP Terraform. Refer to the HYOK documentation to take ownership of state and plan file encryption today.

Note: HYOK is available for Premium tier customers. Please contact your account team for help on getting started. For more details on which offering is best for you, check out our Terraform pricing page

If you are currently using Terraform Community Edition or are completely new to Terraform, try HCP Terraform for free today.