[Yandex Cloud documentation](../../index.md) > [Yandex Key Management Service](../index.md) > [Tutorials](index.md) > Encrypting secrets in Hashicorp Terraform

# Encrypting secrets in Hashicorp Terraform

To encrypt data:

1. In the configuration file, describe the parameters of the `yandex_kms_secret_ciphertext` resource and specify the [KMS key](../concepts/key.md) in the `key_id` field:

   ```hcl
   resource "yandex_kms_secret_ciphertext" "password" {
     key_id      = "<key_ID>"
     aad_context = "additional authenticated data"
     plaintext   = "strong password"
   }
   ```

   Where:

   * `key_id`: KMS key ID.
   * `aad_context`: ([AAD context](../concepts/symmetric-encryption.md#add-context)).
   * `plaintext`: String to be encrypted.

   {% note warning %}

   `yandex_kms_secret_ciphertext` enables you to hide secrets when deploying an infrastructure. However, in general, it is not safe to openly specify the `plaintext` and `aad_context` in the configuration file. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.

   {% endnote %}

   For more information about resource parameters in Terraform, see the [provider documentation](../../terraform/resources/kms_secret_ciphertext.md).

1. Check the configuration using this command:

   ```
   terraform validate
   ```

   If the configuration is correct, you will get this message:

   ```
   Success! The configuration is valid.
   ```

1. Run this command:

   ```
   terraform plan
   ```

   The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

1. Apply the configuration changes:

   ```
   terraform apply
   ```

1. Confirm the changes: type `yes` into the terminal and press **Enter**.

   The ciphertext can then be accessed via the `ciphertext` variable, and the encrypted data via the `plaintext` variable.


   To check, you can add the following code with the `decrypted_pass` output variable to the configuration file.

   {% note alert %}

   This is not safe and can only be used for testing.

   {% endnote %}

   ```hcl
   output "decrypted_pass" {
     sensitive = true
     value     = yandex_kms_secret_ciphertext.password.plaintext
   }
   ```

   After updating the configuration, you can check the encrypted data using the command:

   ```hcl
   terraform output decrypted_pass
   ```

   Result:

   ```
   "strong password"
   ```

   {% endnote %}

## Recommendations for safely storing secret data {#save-secret}

* Do not explicitly specify the secret values in the configuration file. Read them from a storage with restricted access (e.g., a secret storage).
* Consider [storing the Terraform state remotely](https://www.terraform.io/docs/state/sensitive-data.html).

## See also {#see-also}

* [Getting started with Terraform in Yandex Cloud](../../tutorials/infrastructure-management/terraform-quickstart.md).
* [Yandex Cloud provider documentation](../../terraform/index.md).
* [Sensitive Data in State](https://www.terraform.io/docs/state/sensitive-data.html).
* [Encrypting data using the Yandex Cloud](../operations/symmetric-encryption.md) CLI and API.
* [Auto Unseal in Hashicorp Vault](vault-secret.md)