Open-Source Secret Management with Infisical

In recent years, we have seen several high-profile data breaches due to poor secrets management practices, resulting in millions of sensitive records compromised and hundreds of millions of dollars in financial losses. Secrets management is critical for an organization's application development and deployment life cycle because it ensures that sensitive information such as passwords, API keys, and other credentials are securely stored and managed. Additionally, a good strategy facilitates secure collaboration and deployment of applications across different environments, thereby promoting agile and efficient development practices.

There are several commercial and open-source secrets management solutions, with Hashicorp Vault probably being the most popular one. While Vault is widely used and highly regarded, users often complain about the complexity of setting it up and integrating with their CI/CD pipelines. Enter Infisical, a relatively new entrant to this space, hoping to lure folks with an improved developer experience.

What is Infisical?

Infisical is an open-source, end-to-end encrypted secrets management platform that organizations can use to manage secrets like passwords, API keys, database credentials, and configurations. It offers several cool features:

• Fully managed cloud as well as a self-hosted option
• User-friendly web interface and programmatic access (SDKs, API)
• Command-line interface (CLI) to fetch and inject secrets into frameworks
• Native integrations with cloud services like GitHub, Vercel, Netlify etc.
• Secret versioning and point-in-time recovery
• Role-based access controls and audit logs
• Secret scanning and leak prevention (similar to Trufflehog)

Deploy Infisical using One-Click Starter on Railway

Railway is a modern app hosting platform that makes it easy to deploy production-ready apps quickly. Sign up for an account using GitHub, and click Authorize Railway App when redirected. Review and agree to Railway's Terms of Service and Fair Use Policy if prompted. Railway does not offer an always-free plan anymore, but the free trial is good enough to try this. Launch the Infisical one-click starter template (or click the button below) to deploy the app instantly on Railway.

You'll be given an opportunity to change the default repository name and set it private, if you'd like. Infisical requires you to provide a few environment variables, listed below. For each variable, populate the value, and click Deploy; the deployment will kick off immediately.

• ENCRYPTION_KEY: required, default: none
• AUTH_SECRET: required, default: none
• MONGO_URL: required, default: none; hidden in the template, this will be auto-populated by Railway once the MongoDB instance is created.
• REDIS_URL: required, default: none; hidden in the template, this will be auto-populated by Railway once the Redis instance is created.

If you want to set up multi-factor authentication, send invite links to teammates via email, or send alerts such as suspicious login attempts, you'll also need to configure the email service. The one-click template does not include the following optional SMTP environment variables; if you need them, add them to the service in the Railway Variables tab, and redeploy the service to take effect. See this guide for configuration details of specific email providers.

• SMTP_HOST: hostname to connect to for SMTP connections
• SMTP_USERNAME: SMTP credentials
• SMTP_PASSWORD: SMTP credentials
• SMTP_PORT: port to connect to for SMTP connections
• SMTP_SECURE: default is false; if true, SMTP connection will use TLS
• SMTP_FROM_ADDRESS: email address for sending emails
• SMTP_FROM_NAME: name label for sending emails

You can also configure additional environment variables to sync secrets to third party services, or integrate with external authentication providers. See this guide for additional details. Once the deployment completes, Infisical will be available at a default xxx.up.railway.app domain - launch this URL to access the app. If you are interested in setting up a custom domain, I covered it at length in a previous post - see the final section here.

Deploy Infisical using Docker Image on Render

Render is another modern app hosting platform that makes it easy to deploy production-ready apps quickly. Sign up for an account using email or one of the Git providers, and create the Infisical web service. While Render offers a managed PostgreSQL service, it does not offer a document database like MongoDB, which is required by Infisical. To work around this limitation, let's provision a managed MongoDB instance on Railway instead.

Assuming you already have a Railway account (if not, see the previous section), create a new project and provision a MongoDB instance.

Once provisioned, click on the instance and look for the MONGO_URL variable under the Connect tab. Copy the value - we'll need it on Render shortly.

Log in to the Render dashboard, and click New Web Service.

You can either deploy from the Infisical git repository, or from a registry image. Select the Deploy an existing image from a registry option and click Next.

If you don't see the second option, you may need to enable the Deploy from external registries feature from the Early Access section of your profile.

Provide the docker image location, and click Next.

Specify a name (say infisical) for your web service, choose the default Free plan, and click Advanced to specify the necessary environment variables. Click the Generate button to auto-populate values for all the variables except MONGO_URL, for which you should specify the Railway MongoDB URL you copied earlier. Click Next to create the web service. Shortly, the Infisical app will be available at a default xxx.onrender.com domain. If you want to set up a custom domain, see this guide from Render.

Deploy Infisical using 1-Click App on DigitalOcean

Infisical can also be deployed on a Kubernetes cluster using a 1-click application from the DigitalOcean marketplace. By deploying on Kubernetes, you can ensure that the application is fault-tolerant, highly available, and scalable. To make the deployment process streamlined, the 1-click app uses Kubernetes helm charts under the hood. If you don't have a DigitalOcean account, sign up here - you’ll receive a $200, 60-day credit when you add a valid payment method. Set up your team and project, and click this link or the button below.

Select a new Kubernetes cluster to install this app on, and click Install. Note that if you need to make changes to the default settings (e.g. environment variables), you'll need to deploy the helm charts manually instead of this 1-click method.

Choose the datacenter region, Kubernetes version (the latest version is the default and recommended), cluster capacity (3 nodes with default node plan), cluster name, and click Create Cluster. Once the deployment completes, launch Infisical web interface using the load balancer's IP addressed created by Kubernetes.

By default, a TLS certificate is not provisioned and the communication occurs over an unencrypted channel. If you manage your domain with DigitalOcean DNS, you can use DigitalOcean to generate and automatically renew a free Let's Encrypt certificate. To do this, navigate to Settings > Security in DigitalOcean, and click Add Certificate to add a free Let's Encrypt certificate to the load balancer (follow this guide). If you manage your DNS with a different provider, you'll need to use the Bring your own certificate option instead.

Getting Started with Infisical Secrets Management

Once you have deployed Infisical, whether on Railway, Render or DigitalOcean, launch the web interface to get started. Click Sign up and then Sign up with email, and provide the email address to use. Complete the additional details, specify a password, and click Sign Up.

Infisical uses end-to-end encryption (E2EE) to store and share secret values. It uses secure remote password for authentication, and public-key cryptography for secret sharing and sync; see their security statement for more details. In case you are locked out of your account, the Secret Key documented in the Emergency Kit is the only way to access and recover your account. You are recommended to download, print, or otherwise keep it digitally and physically secure.

Once you download the PDF kit, you'll be taken to the dashboard, which provides a quick overview of the secrets stored across predefined project environments. By default, you'll see Development, Staging, and Production pre-populated.

Click on either of the environments to view existing secrets, and to create a new secret. You can create a secret manually, programmatically using the SDKs or API, or by uploading secret files (.env, .json, or .yml).

You can assign roles and privileges to individual users across your environments from the Members tab. You can create or modify project environments, secret tags, and decide whether E2EE is necessary for your organization from Project Settings. You can also create service tokens for authenticating the Infisical CLI or granting Infisical SDKs access to specific environments and secret scopes.

Infisical offers 50+ integrations with cloud service providers and frameworks to sync secrets with CI/CD pipelines and for other operations. Click on Integrations to view and configure access to the providers.

Finally, click on Audit Logs to view all actions going through Infisical, including the operation, user and timestamp.

As you can see, Infisical is quite powerful in what it offers, with plenty more capabilities on the roadmap.