From 3a1b750c4611be7788aba9036c3119c3d935d8fe Mon Sep 17 00:00:00 2001
From: Timo Furrer <tuxtimo@gmail.com>
Date: Thu, 10 Apr 2025 14:48:25 +0200
Subject: [PATCH] Document how to work with auto-encrypted states locally

Closes #124

Changelog: added
---
 .gitlab/README.md.template | 10 ++++++++++
 README.md                  | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index 4c3d68c..3f6124b 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -175,6 +175,16 @@ include:
 stages: [validate, build, deploy]
 ```
 
+#### Working with encrypted states locally
+
+To locally work with encrypted states that have been auto encrypted by the component you can
+manually do what the component does:
+
+Copy the encryption setup from [the `configure_encryption_for_tofu` function](/src/gitlab-tofu.sh#L310)
+into a temporary file called `encryption.tf` or expose it in the `TF_ENCRYPTION` variable - make sure to
+correctly set your passphrase the match the value from GitLab CI. Then you can simply continue using your
+regular `tofu` tooling.
+
 ### Configure `id_tokens`
 
 > [!note]
diff --git a/README.md b/README.md
index c5d7dba..3154bb8 100644
--- a/README.md
+++ b/README.md
@@ -177,6 +177,16 @@ include:
 stages: [validate, build, deploy]
 ```
 
+#### Working with encrypted states locally
+
+To locally work with encrypted states that have been auto encrypted by the component you can
+manually do what the component does:
+
+Copy the encryption setup from [the `configure_encryption_for_tofu` function](/src/gitlab-tofu.sh#L310)
+into a temporary file called `encryption.tf` or expose it in the `TF_ENCRYPTION` variable - make sure to
+correctly set your passphrase the match the value from GitLab CI. Then you can simply continue using your
+regular `tofu` tooling.
+
 ### Configure `id_tokens`
 
 > [!note]
-- 
GitLab