Which of these is the best practice to protect sensitive values in state files?

Using enhanced remote backends is considered the best practice for protecting sensitive values in state files. Remote backends, such as AWS S3 with encryption enabled, Terraform Cloud, or HashiCorp Consul, can provide additional layers of security, such as access controls, auditing, and encryption in transit and at rest. This ensures that sensitive data is not exposed in the state file, which could be compromised if stored in a local or insecure environment.

Enhanced remote backends often have built-in features for managing secrets, providing a more secure and manageable way to handle sensitive data compared to local files or other methods. They can integrate with secrets management tools and enable authentication mechanisms that protect access to sensitive information.

In contrast, using environment variables or local plaintext files can lead to potential security risks as environment variables can be exposed in logs, and plaintext files are not secure by default. Hardcoding secrets directly into your Terraform configurations creates a dangerous situation where sensitive values are stored in version control history, making them accessible to anyone with access to the repository. Enhanced remote backends mitigate these risks effectively.