OpenTofu Error: 'decryption failed' — Cause, Fix, and Troubleshooting Guide
Fix OpenTofu state encryption 'Error: decryption failed' from wrong/rotated keys, missing key providers, or mismatched encryption config.
- #opentofu
- #iac
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
OpenTofu has native state and plan encryption — a feature distinct from Terraform. When enabled, state is encrypted at rest using a key provider (PBKDF2 passphrase, AWS KMS, GCP KMS, or OpenBao/Vault). If the key OpenTofu has cannot decrypt the stored state — wrong passphrase, rotated key, or missing key provider — it fails before it can read anything:
Error: decryption failed
Failed to decrypt the state file using method "aes_gcm" with key provider
"pbkdf2.mykey": cipher: message authentication failed.
This may indicate the encryption key or passphrase has changed, or the state
was encrypted with a different key provider than the one currently configured.
Symptoms
- Any
tofucommand fails withdecryption failed/cipher: message authentication failed. - The state (or plan) file is encrypted but the current key cannot open it.
- Happens after rotating a passphrase/KMS key without a fallback, or on a runner missing the key.
- CI fails while local works (the passphrase/KMS access differs).
Common Root Causes
- Wrong passphrase —
TF_VAR/env passphrase differs from the one that encrypted the state. - Rotated key without
fallback— the old key was removed before re-encrypting. - Missing key provider access — no permission on the KMS/Vault key on this runner.
- Config mismatch — encryption method/key_provider changed and no longer matches the ciphertext.
- Env var not set — the passphrase/key isn’t present in the environment at all.
How to diagnose
Confirm the encryption config and which key provider is active:
grep -nA12 'encryption' *.tf
Check the passphrase/key material is present in this environment:
env | grep -iE 'PASSPHRASE|KMS|VAULT' | sed 's/=.*/=***/'
Verify KMS/Vault access if you use those key providers:
aws kms describe-key --key-id alias/tofu-state >/dev/null && echo kms-ok
Fixes
Provide the correct passphrase/key the state was encrypted with:
export TF_VAR_state_passphrase='the-original-passphrase'
tofu plan
Use a fallback key to decrypt during rotation, so OpenTofu can read old ciphertext with the previous key while writing with the new one:
terraform {
encryption {
key_provider "pbkdf2" "new" { passphrase = var.new_passphrase }
key_provider "pbkdf2" "old" { passphrase = var.old_passphrase }
method "aes_gcm" "new" { keys = key_provider.pbkdf2.new }
method "aes_gcm" "old" { keys = key_provider.pbkdf2.old }
state {
method = method.aes_gcm.new
fallback { method = method.aes_gcm.old }
}
}
}
Then re-apply to re-encrypt state with the new key, and remove the fallback once complete:
tofu apply # reads with fallback, writes with new key
Grant KMS/Vault access on the runner if that is the key provider.
What to watch out for
- Always rotate keys with a
fallbackblock, never by swapping the key outright — otherwise existing state becomes unreadable. - The passphrase/key must be present in every environment that runs
tofu, including CI. - Keep the old key available until every state and plan file has been re-encrypted.
- State encryption is OpenTofu-specific; Terraform state has no equivalent, so migrated pipelines must supply the key.
Related
- OpenTofu Error: ‘Invalid encryption configuration’ — Cause, Fix, and Troubleshooting Guide
- OpenTofu Error: ‘Error loading state: AccessDenied’ — Cause, Fix, and Troubleshooting Guide
- Rotating OpenTofu State Encryption Keys
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.