🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

OpenTofu 1.10 Released: Encrypted State Files by Default

Dargslan Team | March 26, 2026 | Updated: April 16, 2026 | 1 min read | 1 views
OpenTofu 1.10 Released: Encrypted State Files by Default

The OpenTofu project has released version 1.10, continuing to differentiate itself from HashiCorp's Terraform with community-driven features.

Encrypted State by Default

New projects now generate state files encrypted with AES-256-GCM, with keys sourced from HashiCorp Vault, AWS KMS, GCP KMS, Azure Key Vault, or a local keyring. Encryption metadata is stored alongside ciphertext, enabling seamless key rotation.

Backwards-Compatible Migration

Existing projects can opt in via terraform { encryption { state { enforced = true } } }. OpenTofu transparently reads legacy plaintext state and writes encrypted state going forward — no breaking change for CI/CD pipelines.

Provider Lock File Signing

The .terraform.lock.hcl file now supports Sigstore-based signatures, allowing teams to verify that provider binaries haven't been tampered with in air-gapped or supply-chain-conscious environments.

OpenTofu 1.10 is a drop-in replacement for Terraform 1.9 configurations.

Share this article:
Dargslan Editorial Team (Dargslan)
About the Author

Dargslan Editorial Team (Dargslan)

Collective of Software Developers, System Administrators, DevOps Engineers, and IT Authors

Dargslan is an independent technology publishing collective formed by experienced software developers, system administrators, and IT specialists.

The Dargslan editorial team works collaboratively to create practical, hands-on technology books focused on real-world use cases. Each publication is developed, reviewed, and...

Programming Languages Linux Administration Web Development Cybersecurity Networking
View all books

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.