What is Infisical and how does it differ from HashiCorp Vault?

Infisical is an open-source secrets manager with end-to-end encryption, a modern web UI, and built-in integrations for CI/CD platforms. Vault is more flexible but requires significant operational expertise, while Infisical is easier to self-host and ships with a developer-friendly dashboard.

Can I self-host Infisical for free?

Yes. Infisical Community Edition is free and self-hostable via Docker Compose or Helm. Enterprise features like SAML SSO and advanced audit logs require a paid license, but the core secrets management features are fully open-source.

How does Infisical protect secrets at rest?

Infisical uses end-to-end encryption. Secrets are encrypted client-side before being sent to the server using AES-256-GCM. The server stores only ciphertext and cannot read plaintext secrets without the workspace key derived from user credentials.

What is a Machine Identity in Infisical?

A Machine Identity is a non-human principal (CI runner, Kubernetes pod, cloud function) that authenticates to Infisical using Universal Auth, Kubernetes Auth, AWS IAM, GCP IAM, Azure, or OIDC — replacing static service tokens with short-lived credentials.

Infisical: Open-Source Secrets Management Platform Guide

TL;DR — Quick Summary

Infisical is an open-source secrets manager with E2E encryption, CLI, SDKs, Kubernetes Operator, and secret rotation — self-hosted alternative to Vault.

Infisical is an open-source secrets management platform that gives teams a centralized, audited, and encrypted store for API keys, database credentials, and environment variables. Unlike .env files committed to version control or secrets scattered across cloud provider consoles, Infisical provides end-to-end encryption, fine-grained access control, and native integrations with every major CI/CD platform — without locking you into a proprietary SaaS product.

Prerequisites

Docker and Docker Compose or a Kubernetes cluster with Helm 3.
A domain name (for TLS on self-hosted deployments).
Basic familiarity with environment variables and CI/CD pipelines.

Infisical Architecture

Infisical’s server is composed of three components:

API server — Node.js backend that handles all secrets operations.
PostgreSQL — Stores encrypted secret ciphertext, metadata, and audit logs.
Redis — Session management and background job queuing.

End-to-end encryption is the critical design choice: when you write a secret, the Infisical web client or CLI encrypts it locally using a workspace key derived from your credentials before transmission. The server stores only ciphertext — a compromised database exposes no plaintext secrets.

Client-side components include:

Web dashboard — Browser-based UI for managing secrets, users, and integrations.
CLI (infisical) — Authenticate, read/write secrets, inject into processes.
SDKs — Node.js, Python, Go, Java, Ruby, .NET — for programmatic access.
Kubernetes Operator — Syncs Infisical secrets into native Kubernetes Secrets.

Installation

Option 1: Docker Compose (Self-Hosted)

git clone https://github.com/Infisical/infisical.git
cd infisical
cp .env.example .env

Edit .env — set at minimum:

ENCRYPTION_KEY=<32-byte-random-hex>
AUTH_SECRET=<32-byte-random-hex>
SITE_URL=https://secrets.yourdomain.com

Generate random values:

openssl rand -hex 16   # ENCRYPTION_KEY
openssl rand -base64 32 # AUTH_SECRET

Start the stack:

docker compose -f docker-compose.prod.yml up -d

Infisical is now available on port 8080. Put it behind NGINX or Traefik with TLS before exposing it publicly.

Option 2: Kubernetes with Helm

helm repo add infisical-helm-charts https://dl.infisical.com/helm-charts
helm repo update
helm install infisical infisical-helm-charts/infisical \
  --set infisical.encryptionKey="$(openssl rand -hex 16)" \
  --set infisical.authSecret="$(openssl rand -base64 32)"

Option 3: Infisical Cloud

Sign up at app.infisical.com — no server management, free tier available. All data is stored encrypted; Infisical cannot read your secrets.

Project Setup: Organizations, Projects, and Environments

Organizations are the top-level container — your company or team. Users belong to organizations and are invited to specific projects.

Projects map to a single application or service (e.g., api-gateway, payment-service).

Environments within a project represent deployment stages. Infisical creates three by default:

Environment	Use Case
`development`	Local developer secrets
`staging`	Pre-production testing
`production`	Live application credentials

Folders let you group related secrets within an environment (e.g., /database/, /third-party/, /feature-flags/).

Secret versioning is automatic — every change creates a new version. You can roll back any secret to a previous value from the dashboard or CLI. The full history includes who changed what and when.

CLI Usage

Install the Infisical CLI:

# Linux/macOS
curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
sudo apt-get install infisical   # Debian/Ubuntu

# macOS with Homebrew
brew install infisical/get-cli/infisical

# Windows with Scoop
scoop bucket add org https://github.com/Infisical/scoop-infisical.git
scoop install infisical

Authenticate:

infisical login
# Opens browser for OAuth or prompts for email/password

Read secrets:

infisical secrets get DATABASE_URL --env=prod
infisical secrets get --env=dev --path=/database

Write and delete:

infisical secrets set API_KEY=sk-abc123 --env=staging
infisical secrets delete OLD_SECRET --env=staging

Inject into a running process — the key workflow for local development and CI:

infisical run --env=dev -- npm run dev
infisical run --env=prod -- python manage.py migrate
infisical run --env=staging --path=/database -- ./start.sh

infisical run fetches all secrets for the specified environment and path, injects them as environment variables, then executes your command. No secrets are written to disk.

Export to files:

infisical export --env=dev > .env                  # dotenv format
infisical export --env=dev --format=json > secrets.json
infisical export --env=dev --format=yaml > secrets.yaml

SDKs: Programmatic Access

All official SDKs authenticate via a Machine Identity (recommended) or service token.

Node.js:

import { InfisicalSDK } from "@infisical/sdk";

const client = new InfisicalSDK({
  siteUrl: "https://app.infisical.com",
});

await client.auth().universalAuth.login({
  clientId: process.env.INFISICAL_CLIENT_ID,
  clientSecret: process.env.INFISICAL_CLIENT_SECRET,
});

const secret = await client.secrets().getSecret({
  secretName: "DATABASE_URL",
  projectId: "proj_abc123",
  environment: "prod",
});

Python:

from infisical_sdk import InfisicalSDKClient

client = InfisicalSDKClient(host="https://app.infisical.com")
client.auth.universal_auth.login(
    client_id="CLIENT_ID",
    client_secret="CLIENT_SECRET"
)
secret = client.secrets.get_secret_by_name(
    secret_name="DATABASE_URL",
    project_id="proj_abc123",
    environment_slug="prod"
)

Go, Java, Ruby, and .NET SDKs follow the same pattern: initialize with credentials, call GetSecret().

Machine Identities

Machine Identities replace static service tokens with identity-based authentication for non-human clients:

Auth Method	Best For
Universal Auth	Any workload; client ID + secret, short-lived tokens
Kubernetes Auth	Pods using a ServiceAccount JWT
AWS IAM Auth	Lambda, EC2, ECS — uses AWS STS to prove identity
GCP IAM Auth	GCP VMs, Cloud Run, Cloud Functions
Azure Auth	Azure VMs, AKS, Azure Functions via Managed Identity
OIDC Auth	GitHub Actions, GitLab CI, any OIDC-compliant system

Creating a machine identity in GitHub Actions (OIDC):

- name: Fetch secrets from Infisical
  uses: Infisical/secrets-action@v1
  with:
    method: "oidc"
    project-id: "proj_abc123"
    env-slug: "prod"
    infisical-url: "https://app.infisical.com"

Secret Rotation

Infisical can automatically rotate credentials on a schedule, eliminating long-lived static passwords:

PostgreSQL / MySQL / MongoDB — Rotates the database user password and updates the secret in Infisical.
AWS IAM access keys — Creates a new key pair, updates Infisical, then deletes the old key.
Custom rotation — Invoke any Lambda or HTTP endpoint to rotate arbitrary credentials.

Enable rotation in the dashboard under Secret Rotation for a given project environment. Set the rotation interval (daily, weekly, monthly) and the target integration.

Secret References and Imports

References let one secret include the value of another: ${DATABASE_HOST}:5432 in a secret value expands DATABASE_HOST at fetch time — no duplication.

Imports pull all secrets from another environment or path into the current scope:

Import: /shared/common → available in /production/service-a

Override hierarchy (highest to lowest priority):

Personal overrides (developer local values)
Environment secrets
Imported secrets

This lets developers override DATABASE_URL locally to point at a local instance without affecting the shared staging environment.

Kubernetes Operator: Syncing Secrets

The Infisical Kubernetes Operator watches InfisicalSecret CRDs and syncs secrets from Infisical into native Kubernetes Secrets — making them available as envFrom or volume mounts without any SDK code.

Install the operator:

helm install infisical-operator infisical-helm-charts/secrets-operator \
  --namespace infisical-operator-system \
  --create-namespace

Create a machine identity secret (client credentials for the operator):

apiVersion: v1
kind: Secret
metadata:
  name: infisical-machine-identity
  namespace: default
stringData:
  clientId: "MACHINE_CLIENT_ID"
  clientSecret: "MACHINE_CLIENT_SECRET"

Create an InfisicalSecret resource:

apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: myapp-secrets
  namespace: default
spec:
  hostAPI: https://app.infisical.com/api
  resyncInterval: 60
  authentication:
    universalAuth:
      credentialsRef:
        name: infisical-machine-identity
        namespace: default
  managedSecretReference:
    secretName: myapp-synced-secrets
    secretNamespace: default
  infisicalSecret:
    environmentSlug: "prod"
    projectId: "proj_abc123"
    secretsPath: "/"

The operator creates myapp-synced-secrets as a standard Kubernetes Secret. Your Deployment references it normally:

envFrom:
  - secretRef:
      name: myapp-synced-secrets

The operator re-syncs every 60 seconds — when you rotate a secret in Infisical, Kubernetes picks it up automatically.

Integrations

Platform	Integration Type
GitHub Actions	Native action or OIDC machine identity
GitLab CI	CLI in CI script or OIDC identity
Vercel	Dashboard integration — auto-syncs env vars
Netlify	Dashboard integration — auto-syncs env vars
Docker Compose	`infisical run -- docker compose up`
Terraform	Infisical Terraform provider
Ansible	Infisical lookup plugin
Kubernetes	Operator (CRD-based sync)
AWS Parameter Store	One-way sync from Infisical to SSM
AWS Secrets Manager	One-way sync from Infisical to ASM

Access Controls

RBAC roles per project:

Admin — Full control: add/delete secrets, manage members, configure integrations.
Developer — Read/write secrets in assigned environments.
Viewer — Read-only access.

Secret-level permissions allow granting a specific user or machine identity access to individual secrets or folders, not entire environments.

Temporary access grants access that expires after a configurable duration — useful for incident response or contractor access.

Approval workflows (Enterprise) require a second team member to approve secret changes in production environments before they go live.

Audit Log

Every operation on every secret is logged:

Who accessed or modified a secret (user or machine identity)
IP address and user agent
Timestamp
Previous and new value hash (not plaintext)
Source: dashboard, CLI, SDK, or operator

The audit log is queryable from the dashboard by user, secret, environment, and time range.

Infisical vs Alternatives

Feature	Infisical	HashiCorp Vault	Doppler	AWS Secrets Manager	SOPS	1Password Connect
Open source	Yes (CE)	BSL license	No	No	Yes	No
Self-hosted	Yes	Yes	No	No	Yes	Yes (limited)
E2E encryption	Yes	No	No	No	Yes	Yes
Web UI	Yes	Yes (basic)	Yes	AWS Console	No	Yes
Secret rotation	Yes	Yes	Yes	Yes	No	No
Kubernetes Operator	Yes	Yes (Vault Agent)	No	Yes (ESO)	No	No
Machine identities	Yes	Yes	Yes	IAM	No	Yes
Free tier	CE unlimited	Open source	Limited	Per-secret pricing	Free	No
Audit log	Yes	Yes	Yes	Yes	No	Yes

Gotchas and Edge Cases

Encryption key loss — If you lose ENCRYPTION_KEY, all secrets are permanently unrecoverable. Back it up to a separate secrets store (not Infisical itself).
Redis availability — Infisical uses Redis for session tokens. A Redis outage makes login impossible even if PostgreSQL is healthy. Run Redis in a high-availability configuration.
Secret references are resolved at fetch time — A reference to a deleted secret returns an error at runtime, not at write time.
Operator sync interval — The Kubernetes Operator’s 60-second default means there is a propagation delay after rotation. Applications that cache environment variables at startup won’t see changes until redeployed.
Docker Compose in CI — infisical run -- docker compose injects secrets as environment variables into the Docker Compose process. Secrets only reach containers if you explicitly pass them via environment: in docker-compose.yml or with --env-file.

Summary

Self-hosted via Docker Compose or Helm — PostgreSQL + Redis + API server, free Community Edition.
End-to-end encryption — Server never holds plaintext; workspace key stays client-side.
CLI with infisical run — Inject secrets into any process without writing .env files.
Kubernetes Operator — Sync Infisical secrets into native Kubernetes Secrets automatically.
Machine identities — Replace static tokens with OIDC, AWS IAM, Kubernetes Auth, and more.
Secret rotation — Automatic rotation for databases, AWS IAM, and custom webhooks.
Full audit log — Every access and change logged with user, IP, and timestamp.