Infisical’s KMS ensures the security of your project’s secrets through the following mechanisms:
Each project is assigned a unique workspace key, which is responsible for encrypting and decrypting secret values.
The workspace key itself is encrypted using the project’s configured KMS.
When secrets are requested, the workspace key is derived from the configured KMS. This key is then used to decrypt the secret values on-demand before sending them to the requesting client.
Infisical supports the use of external KMS solutions to enhance security and compliance. You can configure your project to use services like AWS Key Management Service or GCP Key Management Service for managing encryption.