OpenTofu vs Terraform 2026 — State Encryption, Migration, and Selection Criteria
The divergence between Terraform and OpenTofu, which began with the 2023 license change, has led each tool down its own path as of March 2026—now two and a half years later. We examine the differences in technology, licensing, and support models, then present selection criteria by organization size.
1. Historical Context: The 2023 Turning Point
In August 2023, a single official statement from HashiCorp shook the infrastructure automation community. The announcement was to change Terraform's license from the open-source standard MPL 2.0 to BSL (Business Source License) 1.1.
1.1 The Meaning of the License Change
MPL 2.0 (Previous License): A fully open-source license. Source code usage, modification, distribution, and commercialization are all free. The only obligation is to disclose code changes.
BSL 1.1 (New License): A "quasi-open-source" license. Source code is public, but for a certain period (typically 4 years after source disclosure), use for developing competing products is restricted. After 4 years, it automatically converts to MPL 2.0.
The open-source community's backlash to this change was immediate. In September 2023, the Linux Foundation launched OpenTofu, based on the same codebase as Terraform.
1.2 The Current State in 2026
After about two and a half years, both projects are explicitly following different evolutionary paths:
| Item | Terraform | OpenTofu |
|---|---|---|
| Release Year | 2014 | 2023 |
| Current Version | 1.14.x | 1.9.x (1.11.x preview) |
| License | BSL 1.1 | MPL 2.0 (fully open-source) |
| Sponsoring Organization | IBM/HashiCorp | Linux Foundation |
| Development Velocity | 2-3 features per quarter | 5-7 features per quarter |
| Provider Ecosystem | 5,000+ (registry.terraform.io) | 4,800+ (registry.opentofu.org, terraform.io compatible) |
2. State File Encryption — OpenTofu's Killer Feature
The area where OpenTofu has the clearest technical advantage over Terraform is native state file encryption. Terraform state files contain extremely sensitive information—database credentials, API keys, IP addresses, SSL certificates—stored in plaintext.
2.1 Terraform State File Security Problem
# Terraform state file content (plaintext, dangerous!)
{
"version": 4,
"resources": [
{
"type": "aws_rds_cluster",
"instances": [
{
"attributes": {
"master_username": "admin",
"master_password": "MySecurePassword123!", # ⚠️ Stored in plaintext!
"database_name": "production_db"
}
}
]
},
{
"type": "aws_api_gateway_rest_api",
"instances": [
{
"attributes": {
"api_key": "sk-1234567890abcdef", # ⚠️ API key in plaintext!
"endpoint": "https://api.example.com"
}
}
]
}
]
}
To address this in Terraform, you must integrate with external tools like AWS Secrets Manager or Vault. OpenTofu, however, solves this at the protocol level.
2.2 OpenTofu State Encryption Configuration
# OpenTofu configuration: State file encryption with AWS KMS
terraform {
encryption {
# Specify AWS KMS key
key_provider "aws_kms" "main" {
kms_key_id = "arn:aws:kms:ap-northeast-2:123456789:key/abcd-1234"
region = "ap-northeast-2"
}
# AES-GCM encryption algorithm
method "aes_gcm" "enc" {
keys = key_provider.aws_kms.main
}
# State file encryption configuration
state {
method = method.aes_gcm.enc
enforced = true # Reject unencrypted state
}
# Plan files are also encrypted
plan {
method = method.aes_gcm.enc
enforced = true
}
}
}
# Or use GCP KMS
key_provider "gcp_kms" "main" {
kms_encryption_key = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
}
# Or use PBKDF2 (passphrase-based, for local development)
key_provider "pbkdf2" "main" {
passphrase = var.encryption_passphrase
}
2.3 Security Compliance Impact
This feature is critical for regulatory compliance. In finance (PCI-DSS, SOX), healthcare (HIPAA, GDPR), and government (FedRAMP) sectors, encryption of sensitive information in infrastructure state is often a mandatory requirement.
| Regulation | Terraform | OpenTofu | Compliance Cost |
|---|---|---|---|
| PCI-DSS | Vault integration required | Native support | -30% |
| HIPAA | Additional tools needed | Built-in | -40% |
| SOC2 | Custom implementation | Immediately available | -25% |
3. Practical Migration Guide
Migration is technically straightforward. Since both tools branched from the same codebase, most Terraform code runs in OpenTofu unchanged. In real-world cases, migrating 20 projects took approximately 10 minutes per project.
3.1 Migration Steps
# Step 1: Install OpenTofu
brew install opentofu # macOS
sudo apt-get install opentofu # Ubuntu
choco install opentofu # Windows
# Step 2: Navigate to existing Terraform project directory
cd my-infrastructure/
# Step 3: Initialize OpenTofu (existing state used automatically)
tofu init
# Backward compatible with existing .terraform/ and .terraform.lock.hcl
# Step 4: Verify changes with plan (should be none)
tofu plan
# No changes. Your infrastructure matches the configuration.
# ✓ Normal
# Step 5: Migrate Terraform Cloud state (if needed)
# For S3 backend (compatible)
terraform init # Initialize state with Terraform
tofu init # OpenTofu uses it directly
# For Terraform Cloud (migration required)
terraform state pull > terraform.tfstate # Backup state
tofu login # Configure OpenTofu
tofu state push terraform.tfstate # Restore state
# Step 6: Use tofu commands going forward
tofu apply
tofu destroy
tofu plan
# Step 7: Update CI/CD pipeline
# Old: terraform init && terraform plan
# New: tofu init && tofu plan
3.2 Migration Risk Factors
⚠️ Caution: Some features added after Terraform 1.6 (removed blocks, certain import block options) may be implemented differently in OpenTofu. Particularly, the latest Terraform features might not yet be implemented in OpenTofu, so always validate with
tofu plan. If you're using remote state via Terraform Cloud/Enterprise, move your state to local or S3 before migrating.
4. Selection Criteria by Organization
4.1 When Terraform Is Suitable
| Situation | Reason |
|---|---|
| Already using Terraform Cloud/Enterprise | Migration cost (state moving, team training) exceeds benefits |
| Enterprise commercial support from IBM/HashiCorp is essential | SLA, warranties, and technical support critical |
| Need integrated AI assistant features | AI-based recommendation features in Terraform Cloud |
| Team is already skilled with Terraform | Minimize learning curve |
4.2 When OpenTofu Is Suitable
| Situation | Reason |
|---|---|
| State file encryption is mandatory | PCI-DSS, HIPAA, SOC2 compliance requirements |
| Want to avoid vendor lock-in | Fully open-source, no commercialization restrictions |
| Cost optimization is important | Eliminate Terraform Cloud subscription fees |
| Starting new projects | Can switch to Terraform anytime, leverage latest features |
4.3 Hybrid Strategy
Realistically, many organizations pursue "gradual migration":
- Existing projects: Continue operating with Terraform (migration cost exceeds benefits)
- New projects: Use OpenTofu (long-term flexibility, cost savings)
- In 3-5 years: Naturally transition to mostly OpenTofu
This approach's advantage is minimizing risk while gaining new technology benefits.
💡 Pro Tip: Whether you choose Terraform or OpenTofu, both are mutually compatible, so don't worry about "lock-in." You can switch back anytime if needed. What matters more is choosing the right tool for your organization's situation and requirements. For compliance needs, OpenTofu's state encryption makes sense; for existing investments, sticking with Terraform is practical.
5. Detailed Technical Differences
| Feature | Terraform 1.14 | OpenTofu 1.9 | Importance |
|---|---|---|---|
| State Encryption | Not supported | Supported (AWS KMS, GCP KMS, PBKDF2) | Very High |
| License | BSL 1.1 | MPL 2.0 | High |
| Cloud Service | Terraform Cloud/Enterprise | None (self-hosted) | Medium |
| Code Compatibility | Reference | 100% compatible | High |
6. Conclusion: The Reality of 2026
Terraform and OpenTofu have evolved from competition to complementary relationships. Terraform focuses on enterprise features and commercial support, while OpenTofu emphasizes complete open-source freedom and technical innovation.
The crucial point is that both tools are now viable choices. Unlike three years ago, when HashiCorp's BSL license change created lock-in concerns, this problem no longer exists. Choose based on your organization's situation, requirements, and long-term strategy, and maintain flexibility to switch when needed.
This article was created with AI technology support. For more cloud-native engineering insights, visit the ManoIT Tech Blog.
Top comments (0)