Subscribe to the Non-Human & AI Identity Journal

Why do OpenTofu workflows create secrets risk even when state is encrypted?

Because encryption at rest does not remove exposure during planning, applying, or logging. Secrets can still appear in variables, environment values, provider calls, and memory while the run executes, so the real control objective is to prevent persistent secret copies from forming in the first place.

Why This Matters for Security Teams

OpenTofu state encryption is necessary, but it is not sufficient. The risk is not only the state file at rest; it is everything that happens during plan, apply, refresh, and logging, where secrets may pass through variables, provider arguments, environment values, and process memory. That means a workflow can still leak sensitive material even when the backend is encrypted and access is restricted. For teams managing infrastructure at scale, the real control objective is to avoid creating persistent secret copies at all.

This is why secrets handling in infrastructure as code belongs in the same conversation as OWASP Non-Human Identity Top 10 and secret sprawl research. NHIMG’s Guide to the Secret Sprawl Challenge treats sprawl as an identity problem, not just a storage problem, because every copied token or credential becomes another NHI that must be governed, rotated, and revoked.

Akeyless’ 2024 survey found that 88% of security professionals are concerned about secrets sprawl, which matches what practitioners see when IaC workflows are allowed to materialise credentials during automation. In practice, many security teams discover this only after a pipeline log, plan artifact, or failed apply has already exposed the secret, rather than through intentional design.

How It Works in Practice

In an OpenTofu workflow, encryption protects the state backend, but it does not change how the workflow executes. If a secret is passed as an input variable, fetched by a provider, or exported into the environment, it can appear in plain form before it ever reaches encrypted state. Even when the state file redacts output values, other artefacts may still capture the secret: debug logs, exception traces, CI job output, shell history, cached plan files, and ephemeral runner memory.

The practical control pattern is to minimise secret residency during execution. That usually means using short-lived credentials, external secret brokers, and data sources that resolve values at runtime rather than hardcoding them in configuration. NHIMG’s Ultimate Guide to NHIs – Static vs Dynamic Secrets is useful here because it separates long-lived secret storage from runtime-issued credentials. Pair that approach with guidance from the NIST Cybersecurity Framework 2.0, especially around protection, detection, and recovery.

  • Pass references to secrets, not the secret value itself, wherever possible.
  • Use ephemeral credentials with tight TTLs for provider authentication.
  • Disable verbose logging in CI/CD unless securely sanitised.
  • Scan plan output, artifacts, and remote runner logs for leaked sensitive fields.
  • Separate build-time variables from deployment-time secrets to reduce accidental persistence.

For higher-risk environments, organisations increasingly combine workload identity, policy-as-code, and JIT secret issuance so the pipeline can prove who it is and receive only the minimum credential needed for the current operation. These controls tend to break down when teams rely on shared runners, unconstrained provider debugging, or reusable modules that implicitly echo sensitive values into logs and plan artifacts.

Common Variations and Edge Cases

Tighter secret controls often increase pipeline complexity, requiring organisations to balance developer speed against reduced exposure. That tradeoff is especially visible in legacy OpenTofu estates, where modules were written to accept static secrets because the surrounding platform lacked a secret broker or workload identity layer.

There is no universal standard for this yet, but current guidance suggests treating any value that can be printed, interpolated, or cached during execution as exposed unless proven otherwise. This matters most in CI systems with remote execution, because runners may persist workspace files, capture stdout by default, or reuse caches across jobs. It also matters in multi-provider workflows, where a secret can be transformed several times before it ever touches state.

NHIMG’s CI/CD pipeline exploitation case study is a strong reminder that the pipeline itself is part of the attack surface, not just the state backend. For teams prioritising remediation, the first step is usually to eliminate static credentials from variables and move sensitive lookups behind runtime controls, then validate whether the workflow still emits secrets anywhere else.

That distinction becomes critical in monorepos, shared runners, and multi-tenant automation platforms, where one workflow’s verbose output can become another team’s incident.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Addresses overexposed and long-lived non-human credentials in automation.
NIST CSF 2.0 PR.DS-1 Covers protection of data at rest and during handling in workflows.
NIST AI RMF Useful where automation and runtime behavior require ongoing risk treatment.

Replace static workflow secrets with short-lived, narrowly scoped credentials and rotate anything exposed in execution paths.