Infisical is an open source secrets management platform that can be used to store secrets like API keys, database credentials and create a certificate authority which is what original attracted me to it.
I had a lot of fun setting it up in my own servers, but you can most certainly use Docker and Kubernetes to simplify your deployment.
Architecture
Infisical uses PostgreSQL for persistence and Redis for caching (You can get away with Valkey as drop in replacement, though. Works just as well.)
System Requirements
Hosting it is not particularly demanding. I used an Ubuntu 24.04 VM with 4GB of RAM and 4 vCPUs.
Deployment Steps
Start by updating your server.
$ sudo apt update && sudo apt upgrade -y
Run this on your PostgreSQL server:
CREATE USER [db user] WITH PASSWORD [password];
CREATE DATABASE [db name];
GRANT USAGE ON SCHEMA public TO [db_user];
GRANT CREATE ON SCHEMA public TO [db_user];
GRANT ALL PRIVILEGES ON DATABASE [db_name] TO [db_user]; # You can be granular with this, but this will do for now.
Run the following commands. This will install Infisical on the server.
$ curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-core/setup.deb.sh' | sudo -E bash
$ sudo apt-get update && sudo apt-get install -y infisical-core
Create Infisical directory in /etc and open the file for editing.
$ sudo mkdir /etc/infisical && sudo nano /etc/infisical/infisical.rb
Paste the following lines in the open editor. Replace the bracketed values with your own:
infisical_core['ENCRYPTION_KEY'] = '[Replace with your 32 bit key]'
infisical_core['AUTH_SECRET'] = '[Replace with your generated secret]'
# Example database connection strings
infisical_core['DB_CONNECTION_URI'] = 'postgres://[username]:[password]*@[server address]:[port]/[database name]'
infisical_core['REDIS_URL'] = 'redis://[redis address]:[port]'is://[redis address]:[port]'
Resconfigure and run Infisical server using this command.
$ sudo infisical-ctl reconfigure
$ sudo infisical-ctl status
You can monitor the service using the tail command. Very useful in my experience and a handy go-to place for troubleshooting.$ infisical-ctl tail
[Optional] Create a reverse proxy using nginx.
If running successfully, It’s running on port 8080. I like reverse proxying it though. Also, remember to use HTTPS. There’s no excuse not to nowadays. Let’s Encrypt can get you the free certs with certbot helping to simplify the process. You can leverage other services though.
server {
listen 80;
server_name [host name];
# Redirect all HTTP requests to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name [host name];
ssl_certificate [certificate path];
ssl_certificate_key [key path];
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:[port]/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_path / /;
}
}
Once done, you should be able to see the dashboard at [http://your-ip:port] or [https://your-ip] if you created a reverse proxy.
That’s it. Hope this helps.