infisical-self-host
Infisical Self-Hosted Deployment
This skill guides you through deploying, configuring, and operating Infisical in self-hosted environments. Whether you are running Infisical on Docker, Docker Compose, or Kubernetes, this resource covers essential setup, security hardening, scaling, and maintenance patterns.
Guiding Principles
-
ENCRYPTION_KEY is Critical: This key encrypts all secrets at rest. It is 16 bytes (32 hex characters), generated with
openssl rand -hex 16, and cannot be recovered if lost. Back it up and rotate it carefully following Infisical's rotation procedures. -
AUTH_SECRET is Required: This key is used for session and JWT signing. It is 32 bytes (base64), generated with
openssl rand -base64 32, and must be stable across restarts. -
Database Requirements: PostgreSQL 14+ is required. Always backup your database before upgrading Infisical. Schema migrations run automatically on boot (since v0.111.0-postgres).
-
Redis Configuration: Redis 6.2+ is required. Cluster mode is NOT supported; use standalone or Redis Sentinel for high availability. Standalone mode is simplest for development; use Sentinel for production HA.
-
Stateless Architecture: Infisical is stateless. Scale horizontally by adding more replicas. All state lives in PostgreSQL and Redis.
-
FIPS Compliance: FIPS 140-2 mode is available via the
infisical/infisical:latest-fipsimage. Enable withFIPS_ENABLED=trueand appropriate Node.js options.