Deploy Infisical open-source secrets manager on Ubuntu — centrally store, sync, and inject API keys and environment variables with RBAC and audit logging.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/dev/infisical/infisical-ubuntu.sh
chmod +x infisical-ubuntu.sh
sudo bash infisical-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/dev/infisical/infisical-ubuntu.shchmod +x infisical-ubuntu.shThe script installs Docker if needed, then sets up the service automatically.
sudo bash infisical-ubuntu.shOpen your browser and navigate to:
http://<your-server-ip>:8080Install the Infisical CLI, log in to your self-hosted instance, then use it to inject secrets directly into your application at runtime.
# Install Infisical CLI
curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash
apt-get install -y infisical
# Login to your instance
infisical login --domain=http://<your-server-ip>:8080
# Run your app with secrets injected
infisical run --projectId=YOUR_ID --env=prod -- node server.js| Port | Purpose |
|---|---|
| 8080 | Infisical Web UI & API |
| 27017 | MongoDB (internal) |
| 6379 | Redis (internal) |
Infisical is an open-source secrets management platform — a self-hosted alternative to HashiCorp Vault and Doppler. It gives development teams a central dashboard to store, version, and distribute secrets (API keys, database credentials, TLS certificates, environment variables) across all services, environments, and developers. SDKs for Python, Node.js, Go, Java, .NET, and Ruby pull secrets dynamically at runtime, eliminating hard-coded credentials in .env files and source code. The audit log records every secret read, write, and share with a full timestamp and identity trail — essential for compliance.
Scattered .env files across developers' laptops and CI secrets that no one knows who added are the two most common sources of credential leaks in small engineering teams. Infisical centralises all secrets in one encrypted store, enforces RBAC (who can read prod secrets vs. dev secrets), and integrates with CI/CD pipelines and Kubernetes so services pull secrets fresh on every deploy — no more copying credentials into Slack messages.
Infisical's web UI and API run on port 8080 by default. Proxy it through Nginx Proxy Manager with a TLS certificate — the Infisical CLI and SDKs will call your domain over HTTPS. MongoDB (27017) and Redis (6379) are internal services and must not be exposed. If using Kubernetes secret injection, the Infisical Operator communicates with your Infisical server over HTTPS — ensure your server's certificate is valid.
HashiCorp Vault (very powerful, very complex — overkill for most teams), Doppler (cloud SaaS, excellent DX, no self-hosting), AWS Secrets Manager (cloud, pay-per-API-call), Vaultwarden (password manager for humans, not for service-to-service secret injection). Infisical is the best balance of simplicity and power for self-hosted secret management.
Skip Infisical if your project is a single-developer side project with 2–3 secrets — a well-managed .env file is simpler. Also skip it if you are deep in the AWS ecosystem where AWS Secrets Manager is already available, or if your organisation mandates HashiCorp Vault for compliance. Infisical shines for small-to-medium teams that want Doppler-quality developer experience without the SaaS price tag.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Vaultwarden is a password manager for humans — it stores login credentials, credit cards, and notes that people copy-paste. Infisical is a secrets manager for machines — it stores API keys, database URIs, and environment variables that services pull programmatically at runtime. They solve different problems. Many teams use both: Vaultwarden for team password sharing and Infisical for service credentials.
Use the Infisical CLI as the container entrypoint: CMD ["infisical", "run", "--", "node", "server.js"]. The CLI fetches secrets for the specified environment and injects them as environment variables before launching your process. Alternatively, use the language SDK (InfisicalClient in Python or Node.js) to pull secrets programmatically inside your application startup code.
For most small-to-medium teams, yes. Infisical covers the core Vault use cases: centralised secret storage, RBAC, audit logging, dynamic credentials, and Kubernetes integration — with a dramatically simpler setup. Vault's advanced features (PKI as a Service, transit encryption engine, LDAP auth) are not available in Infisical. If you need those, Vault remains the right choice.
Yes. Infisical has first-class CI/CD integrations. For GitHub Actions, use the official infisical/secrets-action. For GitLab CI and Woodpecker, use the Infisical CLI: infisical export --env=prod > .env then source .env before your build steps. Machine identities with short-lived tokens are the recommended approach for CI — never use user account tokens in pipelines.
All secrets stored in Infisical are encrypted at rest using ENCRYPTION_KEY. If you lose this key, no stored secrets can be recovered — not even by Infisical support, since there is no server-side master key. Store ENCRYPTION_KEY in a separate secure location (a password manager, a hardware token, or a printed copy in a safe). This is the single most critical piece of infrastructure to protect.
Infisical supports manual secret rotation (update a value and all connected services pull the new value on next restart) and automatic rotation for supported integrations in the cloud edition. For self-hosted, implement rotation by updating the secret in the dashboard and using the SDK's dynamic fetch pattern so services pick up the new value without full redeployment.
Yes. The Infisical Kubernetes Operator watches your cluster for InfisicalSecret custom resources and syncs secrets into Kubernetes native Secret objects. Pods reference these as standard envFrom or volume mounts — no application code changes. The operator re-syncs on a configurable interval so secret rotations propagate automatically to running pods.
Yes. Infisical is open-source under the MIT licence and completely free to self-host with all core features. The cloud-hosted Infisical.com has a generous free tier and paid plans for advanced features like SAML SSO, dynamic secrets, and priority support. Self-hosting gives you unlimited secrets, unlimited team members, and full data sovereignty at the cost of managing your own server.