diff --git a/main.tf b/main.tf
index 8dbc4cb..7d2238a 100644
--- a/main.tf
+++ b/main.tf
@@ -16,6 +16,21 @@ terraform {
     skip_requesting_account_id  = true
     skip_s3_checksum            = true
   }
+
+  encryption {
+    key_provider "pbkdf2" "encryption" {
+      passphrase = var.passphrase
+    }
+
+    method "aes_gcm" "encryption" {
+      keys = key_provider.pbkdf2.encryption
+    }
+
+    state {
+      method = method.aes_gcm.encryption
+      enforced = true
+    }
+  }
 }
 
 module "services" {
diff --git a/variables.tf b/variables.tf
index c3fcffd..12fd053 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,3 +1,7 @@
+variable "passphrase" {
+  sensitive = true
+}
+
 variable "backend_access_key" {
   sensitive = true
 }