env0-Hosted Encrypted State
Persisted deployment state without the hassle
env0 has removed the requirement for setting up PersistentVolumeClaims (PVCs) when using env0's Self-Hosted Agents. env0 will encrypt (with a customer provided encryption key) the working directory and persist it in env0's secure cloud native file system.
How does it work
- Add a
"env0StateEncryptionKey" = "<your_base64_encoded_state_encryption_key>"
key-value pair to your agent's<your_agent_key>_values.yaml
configuration file. On existing agents, upgrade helm to apply the changes made in your configuration file. The encryption key can be any random string. - When deploying an environment, the agent uses your encryption key to encrypt deployment state and working directory, and upload them to env0's secure cloud native file system.
About Privacy
We don't have access to your state files or your encryption key. Your encryption key belongs to you and your agent.
Key rotation
In case you want to change the encryption key, edit the env0StateEncryptionKey
value in your agent's configuration file, and replace it with a different base64 encoded string.
Warning
When using local state files, adding, removing or rotating the encryption key will result in state loss for existing environments. In such cases, Terraform resources will be re-created.
To remedy this, we recommend using a remote backend (e.g. env0 Remote Backend).
Updated 9 months ago