In this guide, we show you how you can use the Onboardbase CLI to secure your terraform state files


The Onboardbase CLI can simplify the management of Terraform state files and provide secure encryption and decryption functionality.

This documentation will guide you through the usage of the onboardbase tf command, which is used to manage Terraform state files and their encryption.


Before using the Onboardbase CLI, make sure you have it installed. You can follow the steps here to install the CLI

onboardbase tf Command

The onboardbase tf command is used for managing Terraform state files and provides encryption and decryption capabilities. It supports the following options:

Encrypting a Terraform State File

You can use the onboardbase tf:encrypt command to encrypt a Terraform state file with a specified encryption key.

onboardbase tf:encrypt --enc-key "your encryption key" --file "path to your terraform.tfstate file"
  • --enc-key (Optional): Specify the encryption key you want to use to encrypt the Terraform state file. If a value is not passed, the CLI defaults to using your device fingerprint to encrypt the file, meaning only your device can encrypt and decrypt the TF state content.
  • --file (Optional): Specify the path to the Terraform state file you want to encrypt. If this option is not provided, the CLI defaults to the standard name of Terraform state files, which is terraform.tfstate.

Decrypting a Terraform State File

You can use the onboardbase tf:decrypt command to decrypt a Terraform state file with a given encryption key. This command also allows you to specify a custom Terraform command to run.

onboardbase tf:decrypt --enc-key "The encryption key you used to encrypt your tfstate file" --file "path to encrypted terraform.tfstate file" -- "Your Terraform command"
  • --enc-key (Optional): Specify the encryption key used to encrypt the Terraform state file. If you encrypted the file with a key other than the default, provide it here.
  • --file (Optional): Specify the path to the Terraform state file you want to decrypt. If this option is not provided, the CLI defaults to terraform.tfstate.
  • Terraform Command: You can include a Terraform command to run after decrypting the state file. This can be any valid Terraform command.

Using Standard Input (stdin)

The onboardbase tf command supports reading from standard input (stdin). This is particularly useful when working with external sources, such as encrypted URLs.

In the example below, the URL provided links to a terraform state file already encrypted:

curl -s https://onboardbase-cli.fra1.digitaloceanspaces.com/terraform.tfstate | onboardbase tf --enc-key "your encryption key" --file "-"
  • To read from stdin, use - as the value for the --file argument. This instructs the CLI to read from standard input.

External Encrypted URL

When you pass an external encrypted URL to the onboardbase tf command, the CLI performs the following actions:

  1. It decrypts the file from the external URL.
  2. Writes the decrypted file to the Terraform project.
  3. On exit, because the file is sourced from an external URL, it deletes the file from the external source, ensuring it remains secure.

Automatic Encryption and Decryption

The Onboardbase CLI automatically encrypts and decrypts the Terraform state file. When you use the onboardbase tf command, it decrypts the file for your use, and upon the exit of any command you run, it re-encrypts the file.

This automatic encryption and decryption feature ensures the security of your Terraform state content without requiring manual intervention.