This guide covers all deployment methods for self-hosting Infisical on your infrastructure. Choose the deployment method that best fits your environment and operational requirements.
Current Version: v0.158.5 (February 2026)
| Method | Best For | Complexity | Maintenance |
|---|---|---|---|
| Docker Compose | Small teams, homelabs, quick deployment | Low | Medium |
| Kubernetes (Helm) | Production, scalable environments | Medium | Low |
| Ansible | Automated deployments, configuration management | Medium | Low |
| Linux Binary | Bare-metal, non-containerized environments | High | High |
All deployment methods require:
# Install Git for repository management
sudo apt-get update && sudo apt-get install -y git
# Install Docker (for container deployments)
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
# Install Docker Compose Plugin
sudo apt-get install -y docker-compose-plugin
# Install Helm (for Kubernetes deployments)
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Install Ansible (for automation)
sudo apt-get install -y ansible
For most users, Docker Compose provides the fastest path to a working Infisical installation.
mkdir -p ~/infisical/{nginx/certs,volumes/postgres,volumes/redis}
cd ~/infisical
# Generate encryption key (32 hex characters)
ENCRYPTION_KEY=$(openssl rand -hex 16)
echo "ENCRYPTION_KEY=$ENCRYPTION_KEY"
# Generate auth secret (base64 encoded)
AUTH_SECRET=$(openssl rand -base64 32)
echo "AUTH_SECRET=$AUTH_SECRET"
# Generate database password
DB_PASSWORD=$(openssl rand -base64 24)
echo "DB_PASSWORD=$DB_PASSWORD"
Create .env file with your generated values:
cat > .env << EOF
# Site Configuration
SITE_URL=https://infisical.example.com
# Security Keys (replace with generated values above)
ENCRYPTION_KEY=$ENCRYPTION_KEY
AUTH_SECRET=$AUTH_SECRET
# PostgreSQL Configuration
POSTGRES_USER=infisical
POSTGRES_PASSWORD=$DB_PASSWORD
POSTGRES_DB=infisical
DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
# Redis Configuration
REDIS_URL=redis://redis:6379
# Optional: SMTP for email notifications
# SMTP_HOST=smtp.example.com
# SMTP_PORT=587
# SMTP_USERNAME=user@example.com
# SMTP_PASSWORD=password
# SMTP_FROM_ADDRESS=noreply@example.com
# SMTP_FROM_NAME=Infisical
EOF
cat > docker-compose.yml << 'EOF'
services:
backend:
image: infisical/infisical:latest-postgres
restart: unless-stopped
depends_on:
db:
condition: service_healthy
redis:
condition: service_started
db-migration:
condition: service_completed_successfully
env_file: .env
environment:
- NODE_ENV=production
ports:
- "8080:8080"
networks:
- infisical
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/api/status"]
interval: 30s
timeout: 10s
retries: 3
start_period: 60s
redis:
image: redis:7-alpine
restart: unless-stopped
env_file: .env
volumes:
- ./volumes/redis:/data
networks:
- infisical
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
db:
image: postgres:14-alpine
restart: unless-stopped
env_file: .env
volumes:
- ./volumes/postgres:/var/lib/postgresql/data
networks:
- infisical
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
interval: 10s
timeout: 5s
retries: 10
db-migration:
image: infisical/infisical:latest-postgres
depends_on:
db:
condition: service_healthy
env_file: .env
command: npm run migration:latest
networks:
- infisical
networks:
infisical:
driver: bridge
EOF
docker compose up -d
# Check container status
docker compose ps
# View logs
docker compose logs -f backend
# Test API endpoint
curl http://localhost:8080/api/status
https://infisical.example.comFor production deployments, configure a reverse proxy with TLS termination:
server {
listen 443 ssl http2;
server_name infisical.example.com;
ssl_certificate /etc/letsencrypt/live/infisical.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/infisical.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name infisical.example.com;
return 301 https://$server_name$request_uri;
}
#!/bin/bash
# backup-infisical.sh
BACKUP_DIR="/backup/infisical"
DATE=$(date +%Y%m%d_%H%M%S)
DB_CONTAINER="infisical-db"
DB_USER="infisical"
DB_NAME="infisical"
mkdir -p $BACKUP_DIR
# Backup PostgreSQL database
docker exec $DB_CONTAINER pg_dump -U $DB_USER $DB_NAME | \
gzip > $BACKUP_DIR/infisical_db_$DATE.sql.gz
# Backup encryption keys (CRITICAL)
cp .env $BACKUP_DIR/infisical_env_$DATE.backup
# Retain only last 7 backups
find $BACKUP_DIR -name "*.gz" -mtime +7 -delete
find $BACKUP_DIR -name "*.backup" -mtime +7 -delete
echo "Backup completed: $DATE"
Add to crontab:
0 2 * * * /path/to/backup-infisical.sh
Detailed Docker Compose setup with production hardening:
→ Infisical Docker Setup
Helm chart deployment with operator support:
→ Infisical Kubernetes Setup
Automated deployment with Ansible playbooks:
→ Infisical Ansible Setup
Native installation without container dependencies:
→ See Linux Binary Installation below
For environments that don’t use containers:
sudo useradd --system --shell /bin/false --home-dir /opt/infisical infisical
sudo mkdir -p /opt/infisical
sudo chown infisical:infisical /opt/infisical
cd /opt/infisical
wget https://github.com/Infisical/infisical/releases/latest/download/infisical-linux-amd64
chmod +x infisical-linux-amd64
sudo chown infisical:infisical infisical-linux-amd64
sudo mkdir -p /etc/infisical
sudo cat > /etc/infisical/environment << EOF
SITE_URL=https://infisical.example.com
ENCRYPTION_KEY=<your-encryption-key>
AUTH_SECRET=<your-auth-secret>
DB_CONNECTION_URI=postgres://user:pass@localhost:5432/infisical
REDIS_URL=redis://localhost:6379
EOF
sudo chmod 640 /etc/infisical/environment
sudo chown root:infisical /etc/infisical/environment
sudo cat > /etc/systemd/system/infisical.service << 'EOF'
[Unit]
Description=Infisical Secret Management
After=network.target postgresql.service redis.service
[Service]
Type=simple
User=infisical
Group=infisical
WorkingDirectory=/opt/infisical
ExecStart=/opt/infisical/infisical-linux-amd64
Restart=always
RestartSec=10
EnvironmentFile=/etc/infisical/environment
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/infisical
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LimitCORE=0
MemorySwapMax=0
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable infisical
sudo systemctl start infisical
sudo systemctl status infisical
# Check logs
docker compose logs backend
# Verify environment variables
docker compose config
# Check database connectivity
docker compose exec backend ping db
# Re-run migrations manually
docker compose run --rm db-migration
# Check database status
docker compose exec db psql -U infisical -c "\dt"
# Verify service is running
docker compose ps
# Check port binding
netstat -tlnp | grep 8080
# Test locally
curl http://localhost:8080/api/status
Any questions?
Feel free to contact us. Find all contact information on our contact page.