The 'much incentive' part is the interesting thing to me. Hashicorp did build encryption-at-rest for state into their paid remote cloud service. They explicitly recommend using the paid service instead when security is required, and instead of having both versions secure, the paid form simply disables the local one [1], drawing a strong line here between paid/secure and unpaid/insecure.

So I'm wondering if that created a disincentive, from a perspective of enterprises upselling for security & compliance. OpenTofu community members aren't relying on selling a remote management service, and when a cloud provider, more usage in general is better, and that includes security for everyone. I can be off, so not quite clear to me the more I look.

[1] https://developer.hashicorp.com/terraform/language/state/sen...

It's a lot harder to be an enterprise company or b2b startup (SOC2) and brush that off in front of knowledgeable auditors. I'm guessing most would miss it and rely on self-reporting, which in turn raises how 'loud' this issue is for most OSS terraform users.

We aren't heavy terraform users, so I'm not sure of the threat modeling here. Understanding these kinds of product decisions and OSS security ramifications is a pet interest of mine, and this is a fascinating one!

We moved on, but there are areas where I wouldn’t mind poking at it. I’ve been thinking OpenTofu is where I’d start afresh with TF.