As a user of OpenTofu, how can I programmatically determine which key is currently used for encryption of something that tofu is encrypting? It seems like whether or not an apply has been run will determine this.
Thank you for the question @yousifakbar. For encryption, OpenTofu will always use the method you specified in the target block, such as statefile{}, planfile{}, etc. It will never use the fallback block for encryption, only for decryption. The method itself is then linked to a key provider, so your key provider is where you control which key to use. In practice, that will either be a passphrase provider or a KMS system.
Do you want a quick overview? Here's the short version: th-cam.com/users/shortsYEn2wGhhkbI
As a user of OpenTofu, how can I programmatically determine which key is currently used for encryption of something that tofu is encrypting? It seems like whether or not an apply has been run will determine this.
Thank you for the question @yousifakbar. For encryption, OpenTofu will always use the method you specified in the target block, such as statefile{}, planfile{}, etc. It will never use the fallback block for encryption, only for decryption. The method itself is then linked to a key provider, so your key provider is where you control which key to use. In practice, that will either be a passphrase provider or a KMS system.