Introduction
Managing secrets effectively is a crucial part of maintaining a secure and efficient infrastructure. In this post, I want to introduce you to Infisical, a containerized solution designed for secrets management. Whether you're dealing with API keys, passwords, or other sensitive data, Infisical provides a centralized and encrypted way to store and access them securely. It's built to integrate seamlessly into your existing stack using Docker, making it accessible for projects of all sizes. If you're someone who prefers having complete control over your data, you’ll appreciate its robust self-hosting capabilities. While there are paid features that cater to enterprise-level needs, the free version offers enough functionality for smaller setups or homelab applications.
One of the things I like about Infisical is its balance of simplicity and flexibility. Setting it up is straightforward, as long as you have Docker ready, and the configuration process is manageable even if you're new to secrets management. In this guide, I’ll walk you through how to deploy Infisical using Docker, configure it for your environment, and get the most out of its features. I’ve also included some tips on how to securely manage access, like enabling multi-factor authentication and restricting sign-ups. These best practices can help you maintain a more secure setup, whether you're working on a small personal project or managing a larger team.
That said, I think it’s worth mentioning that Infisical does have some limitations in its free self-hosted version. Features like project sharing and per-user MFA are locked behind a paywall, which might be frustrating if you’re operating on a tight budget. Despite that, the tool meets the basic needs for secrets management, and I’ve found it to be a valuable addition to my own workflow. Throughout this post, I’ll share my experience, along with step-by-step instructions and practical advice, so you can decide if Infisical is the right fit for your needs. Let’s dive into the details and see how you can get set up with Infisical today.
References
Prerequisites
- Internet Connection
- Up-to-date Server
- Proper permissions to run Docker commands
- Docker Setup - Ultimate Docker Guide
Overview
Infisical Secrets Management is a containerized solution designed to securely manage and store sensitive information like API keys, passwords, and other secrets. It operates as a centralized platform that ensures your secrets are encrypted and accessible only to authorized users and applications within your infrastructure. By leveraging Docker, it’s easy to deploy and integrate into your existing stack, making it a great fit for both small projects and larger environments.
One of the standout features of Infisical is its flexibility and robust support for self-hosting, which allows you to maintain complete control over your data. There are also paid features available, likely catering to advanced use cases for enterprises or larger teams needing additional functionality. If you’re running a homelab or looking to improve your organization’s secrets management process, this tool is definitely worth exploring.
Free vs Paid
Unfortunately, most of the features you'd expect are paywalled, which is quite disappointing. While Infisical itself is a good product, I find myself repeatedly frustrated as I use it. Nevertheless, it does fulfill the basic needs. User management is probably my biggest issue. Groups and roles are among the important features locked behind the paywall. Additionally, SSO integration is limited to services like Google and Azure, meaning your own OIDC or OAuth solution won't work with the free version.
- Per user MFA
- Project Sharing
- CLI access
- Software based Encryption
Setting up the Container
mkdir -p /data/infisical/postgres
chown user:data -R /data/infisical
chmod 775 -R /data/infisical
nano docker-compose.yml
nano .env
# Use Control+O to save and Control+X to exit
services:
secrets-manager:
container_name: infisical
image: infisical/infisical:v0.146.0-postgres
restart: unless-stopped
depends_on:
db:
condition: service_healthy
redis:
condition: service_started
db-migration:
condition: service_completed_successfully
pull_policy: always
env_file: .env
environment:
- NODE_ENV=production
ports:
- 42560:8080
networks:
- infisical
redis:
container_name: infisical-redis
image: redis
restart: unless-stopped
env_file: .env
environment:
- ALLOW_EMPTY_PASSWORD=yes
volumes:
- ./volumes/redis:/data
networks:
- infisical
db:
container_name: infisical-db
image: postgres:14-alpine
restart: unless-stopped
env_file: .env
volumes:
- ./postgres:/var/lib/postgresql/data
networks:
- infisical
- mysql
healthcheck:
test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list"
interval: 5s
timeout: 10s
retries: 10
db-migration:
container_name: infisical-db-migration
depends_on:
db:
condition: service_healthy
image: infisical/infisical:v0.146.0-postgres
env_file: .env
command: npm run migration:latest
pull_policy: always
networks:
- infisical
- mysql
networks:
infisical:
driver: bridge
mysql:
external: true
# Website URL
SITE_URL=https://infisical.lan
# SMTP
SMTP_HOST=smtp.mailgun.org # obtained from credentials page
SMTP_USERNAME=postmaster@example.mailgun.org # obtained from credentials page
SMTP_PASSWORD=password # obtained from credentials page
SMTP_PORT=587
SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
# Keys
# Required key for platform encryption/decryption ops
# GENERATE YOUR OWN KEY WITH 'openssl rand -hex 16'
ENCRYPTION_KEY=
# JWT
# Required secrets to sign JWT tokens
# GENERATE YOUR OWN KEY WITH 'openssl rand -base64 32'
AUTH_SECRET=
# Postgres
POSTGRES_PASSWORD='set-your-own-password-here'
POSTGRES_USER=infisical
POSTGRES_DB=infisical
# Do not change the next line
DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
# Redis
# Do not change the next line
REDIS_URL=redis://redis:6379
Start the container stack by using docker compose up -d.
Reverse Proxy Setup
Nothing special here if you’re using NGINX Proxy Manager, then set the domain, port, IP, and SSL. You’ll probably want to enable websockets.
Configuring Infisical
By default, each user will have their own organization, essentially a personal vault. Infisical is very limited in the free self-hosted version, and user management is simply not available unless you pay for it. I worked around this by allowing sign-ups, restricting the email domain, setting the default role to no-access, and keeping it private within my network.
Best practices suggest implementing MFA/SSO and only exposing external access when absolutely necessary. While some tools may be too complex for a homelab setup, my solution is to use an always-on VPN when away from home. This gives me access to everything regardless of location. My friends, co-developers, and clients use my VPN setup, allowing me to control access precisely. With this approach, allowing sign-ups is relatively safe. Users can create accounts, and you can then manually add them to your projects.
CLI Use
You can use Infisical within the command line by following the install instructions. It’s simple to use and connect to your self-hosted instance. There are installs for all major operating systems.
# login to your instance
infisical login
For a list of all the commands, you can check out the Core Commands docs.
Conclusion
In this post, I aimed to provide a comprehensive introduction to Infisical and how it can be effectively deployed using Docker to manage secrets securely. We walked through the setup process, explored the configuration options, and discussed some of the limitations of the free self-hosted version. While the tool does have some paywalled features that may be frustrating for those on a budget, it still serves as a solid solution for basic secrets management. I covered practical tips for securing your instance, such as enabling multi-factor authentication and restricting sign-ups, which are critical for maintaining a secure environment. For anyone managing sensitive data, Infisical can be a reliable addition to your toolkit if set up thoughtfully.
Overall, I think Infisical is a promising tool, especially for those who value self-hosting and maintaining control over their data. Its Docker-based deployment makes it accessible for a range of users, from hobbyists to small teams. Although it has its shortcomings in the free tier, the features it offers are still valuable for most small-scale applications. I hope this guide has helped you better understand how to integrate Infisical into your workflow and highlighted the best practices to maximize its potential. If you're considering adopting a secrets management solution, Infisical is worth exploring further, especially if you're already comfortable working with Docker.
Full Disclosure
Most of this article is comprised of facts and opinions. AI (specifically Grok and Notion AI) was used in the creation of this post. The featured background image was created by andyoneru and is available on Unsplash. I added a blur and a gradient overlay with some text. The following images have been pulled or screenshotted from the respective websites/applications. I do not own this content.
