Powering a Tool Used by Millions: How Excalidraw Replaced .env Sprawl with Self-Hosted Infisical
A day-zero approach to secrets that lets engineers ship without thinking about them.
Looking to improve your secret management processes?Talk to an expert
Infisical is much simpler, much safer. If you want to move fast and be secure at the same time, Infisical is what you want.— Milos Vetesnik, Co-founder
Key Results
- Onboarded new engineers in a single command, eliminating environment setup friction
- Removed key-person risk on production credentials with a zero-trust access model and SSOT
- Self-hosted, end-to-end encrypted secrets management that keeps sensitive data inside their own infrastructure
The Challenge: Secrets Sprawl Across a Growing Monorepo
Excalidraw’s early secrets setup was simple: .env files passed between engineers, with production access concentrated in the hands of Milos and his co-founder David. It worked at first. Then the team migrated to an NX monorepo, and the environment quickly got out of hand.
As Milos described it, “since our project grew, we needed to change our coding style. We created a monorepo. For monorepo, we used NX, and suddenly the environment was starting to get crazy. Each project had its own environment variables, everyone has local dev. We weren’t happy with it.”
What this looked like day-to-day:
- Engineers manually wrote and updated local environment variables, constantly
- Sharing secrets across the team was ad-hoc and error-prone
- Each new project added another set of variables to manage
- Production credentials lived with two people, creating real key-person risk
Security wasn’t a compliance checkbox for Excalidraw either. It was a day-zero principle. That ruled out cloud-only tools. The team needed something they could self-host, that encrypted secrets at rest, and that wouldn’t add another piece of software for engineers to live inside of.
The Solution: Self-Hosted, Open-Source, and Built Around How They Work
Excalidraw’s co-founder spotted Infisical on X right as the NX migration was underway, and the timing made the evaluation easy. The team needed something that could centralize secrets across the monorepo without forcing them into a cloud-only tool or onto infrastructure they didn’t control.
Their must-haves were clear:
- Self-hosted deployment on their own infrastructure
- End-to-end encryption, so a stolen database wouldn’t expose secrets
- A clean way to share environment variables across a growing team
- An open-source foundation they could try before committing
The team looked at a few options, including Bitwarden and HashiCorp Vault, before testing Infisical’s open-source version. It did exactly what they needed without ceremony.
Sharing environment variables across the team finally worked the way it should, and self-hosting kept sensitive data inside infrastructure Milos trusted. As he put it, “with environment variables, I wouldn’t trust my mother. I’d like to place it in my own infrastructure and encrypt it.”
Infisical delivered:
- Self-hosted deployment with end-to-end encryption
- Open-source foundation that allowed try-before-buy evaluation
- Native fit with their NX monorepo workflow
- SSO and role-based access for compliance, with developers limited to dev environments and production access reserved for Milos and his other co-founder, David Luza.
The Results: Secrets Management That Stays Out of the Way
For Excalidraw, the measure of success wasn’t a flashy dashboard or a list of features used. It was the opposite. The team wanted secrets management to disappear into the background of normal development work, and that’s what Infisical delivered.
The day-to-day workflow now looks like this: engineers run infisical login once, then run their NX commands. Environment variables inject automatically into each project, cached locally so rebuilds don’t repeatedly hit the server. New environments are added in Infisical and they’re available. That’s the whole loop.
As Milos put it, “what I like about Infisical is that I don’t actually think about it. I just run the commands and it works.”
Onboarding got compressed to almost nothing when it came to managing env files. New engineers install Infisical, run a single command, and start working. No environment setup ritual, no .env files to track down, no asking a senior engineer for credentials.
Beyond the daily workflow, the team got the structural controls they’d been missing. Excalidraw moved to a zero-trust production access model with strict role-based controls. Production access is now limited to the technical co-founders, and developers see only their dev environments. SSO ties access into the team management system, and the same setup carried Excalidraw through SOC 2 Type I and Type II certification.
Key Outcomes
- Secrets management runs in the background of daily development
- Engineers authenticate once and environment variables inject automatically into every NX project
- Custom NX wrappers around Infisical make secret distribution part of the build pipeline rather than a separate workflow
- Onboarding for new engineers compressed to a single command
- Eliminated key-person risk on production credentials
- Zero-trust production access model with strict role-based controls, separating dev from prod and limiting production access to the technical co-founders
- SSO unifies access management with the rest of the team’s tooling
- Self-hosted deployment kept sensitive data inside Excalidraw’s own infrastructure
- End-to-end encryption means a stolen database wouldn’t expose secrets
- Infisical powers secrets management across 26 production workloads: 23 application services plus Docker, automation, and queue integrations
- Day-zero security validated by SOC 2 Type I and Type II certification
- Infisical was part of the tech stack Excalidraw upgraded for SOC 2, alongside Nx, monitoring, and VPN. You can read their write-up about their process.
Infisical: Secrets Management for Teams That Want to Move Fast
When secrets management gets in the way, fast-moving teams either slow down or take shortcuts. Infisical gives engineering teams a system that works in the background, with the controls and self-hosted flexibility that hold up as the team grows.
Want to see how it would work in your environment? Get a demo of Infisical or sign up to try it for free.
Starting with Infisical is simple, fast, and free.
PRODUCT
CONTACT