env0-Hosted Encrypted State

Persisted deployment state without the hassle

env0 has removed the requirement for setting up PersistentVolumeClaims (PVCs) when using env0's Self-Hosted Agents. env0 will encrypt (with a customer provided encryption key) the working directory and persist it in env0's secure cloud native file system.

How does it work

  1. Add a "env0StateEncryptionKey" = "<your_base64_encoded_state_encryption_key>" key-value pair to your agent's <your_agent_key>_values.yaml configuration file. On existing agents, upgrade helm to apply the changes made in your configuration file. The encryption key can be any random string.
  2. When deploying an environment, the agent uses your encryption key to encrypt deployment state and working directory, and upload them to env0's secure cloud native file system.


About Privacy

We don't have access to your state files or your encryption key. Your encryption key belongs to you and your agent.

Key rotation

In case you want to change the encryption key, edit the env0StateEncryptionKey value in your agent's configuration file, and replace it with a different base64 encoded string.



When using local state files, adding, removing or rotating the encryption key will result in state loss for existing environments. In such cases, Terraform resources will be re-created.

To remedy this, we recommend using a remote backend (e.g. env0 Remote Backend).