HashiCorp announced on July 31, 2025, the general availability of Hold Your Own Key (HYOK) support for HCP Terraform. This feature gives customers full control over the encryption keys used to protect sensitive Terraform artifacts such as state and plan files.
Terraform artifacts, like state and plan files, often contain sensitive information, resource IDs, IPs, and potentially credentials that, although encrypted by default within HCP Terraform, remained accessible to the platform’s managed key system. With HYOK, encryption now occurs before artifacts leave the customer’s network, using keys stored in customer-controlled Vault, AWS KMS, Azure Key Vault, or Google Cloud KMS. This ensures that plaintext secrets never transit through HashiCorp infrastructure, helping organizations meet strict compliance and data sovereignty requirements.
The HYOK workflow involves a lightweight agent inside the customer’s network. When enabled at the organizational level, each Terraform operation requests a short-lived cryptographic token via OIDC, exchanges it for KMS credentials, and encrypts artifacts using the customer’s key via Vault’s transit engine. Two artifacts are produced: a fully encrypted state or plan file, and a sanitized version with secrets redacted, allowing HCP Terraform to continue policy checks and cost estimation without accessing sensitive data.
Florin Lungu, Chapter Lead at Deutsche Bank, commented on LinkedIn that HYOK “allows customers to take greater control over the access to secrets within Terraform artifacts” and significantly enhances security and compliance. Meanwhile, HashiCorp’s official social announcement called HYOK “another layer of security to state and plan files” and emphasized full visibility without exposing secrets in plaintext.
Several companies outside HashiCorp offer similar approaches to customer-managed encryption keys (CMEK) or Hold Your Own Key (HYOK) models. However, implementation details differ depending on the platform’s architecture and compliance goals:
Azure Storage, Azure Kubernetes Service (AKS), and Azure Key Vault support CMEK, where customers can store encryption keys in Azure Key Vault HSM or even externally via HYOK integrations. Unlike HashiCorp’s Terraform HYOK, Azure’s model often uses Azure Active Directory conditional access to control key access and includes integrations with hardware security modules (HSMs) for FIPS compliance. Azure’s HYOK is most commonly used by government or financial institutions needing full control over key lifecycle management.
AWS offers KMS External Key Store (XKS), allowing organizations to keep encryption keys outside AWS infrastructure while still using KMS APIs. This design parallels HashiCorp’s HYOK by enabling encryption operations locally while AWS services operate on encrypted data. Many financial and healthcare customers leverage this to meet data residency and sovereignty requirements.
Google Cloud’s External Key Manager (EKM) enables full HYOK capabilities by performing cryptographic operations entirely outside Google infrastructure. This ensures that even Google cannot decrypt customer data. EKM supports Cloud HSMs or on-premise HSMs for organizations with strict regulatory environments, particularly in Europe under GDPR and Schrems II requirements.
Salesforce Shield offers HYOK capabilities where customers manage encryption keys either in Salesforce or via a third-party HSM. Similar to HashiCorp’ approach, this allows encrypted storage of sensitive CRM data while retaining customer-exclusive control over key rotation and revocation.
HashiCorp’s HCP Terraform HYOK differs by focusing on Terraform state and plan files, encrypting artifacts before leaving the customer network, and supporting multi-cloud KMS systems (Vault, AWS, Azure, GCP) seamlessly. Most other vendors provide HYOK for platform data (e.g., storage objects, databases) rather than IaC artifacts, making HashiCorp’s feature unique in the infrastructure-as-code space.
HYOK is currently available to Premium-tier HCP Terraform customers. It provides architects and security teams with controls over their data. By combining customer-managed key systems, local agent encryption, and platform-agnostic support across major KMS providers, HYOK aims to add flexibility, observability, and enterprise-grade compliance into HashiCorp’s infrastructure-as-code security practices.
