Threat model
Infisical’s (the software) threat model spans communication, storage, response mechanisms, and more.- Eavesdropping on communications: Infisical secures client communication with the server and from the server to the storage backend.
- Tampering with data (at rest or in transit): Infisical implements data integrity checks to detect tampering. If inconsistencies are found, Infisical aborts transactions and raises alerts.
- Unauthorized access (lacking authentication/authorization): Infisical mandates rigorous authentication and authorization checks for all inbound requests; it also offers multi-factor authentication and role/attribute-based access controls.
- Actions without accountability: Infisical logs events, including policy updates, queries/mutations applied to secrets, certificates, and more. Every event is timestamped and information about actor, source (i.e. IP address, user-agent, etc.), and relevant metadata is included.
- Breach of data storage confidentiality: Infisical encrypts all stored secrets using proven cryptographic techniques for symmetric encryption.
- Unrecognized suspicious activities: Infisical monitors for any anomalous activities such as authentication attempts from previously unseen sources.
- Unidentified system vulnerabilities: Infisical undergoes penetration tests and vulnerability assessments twice a year; we act on findings to bolster the system’s defense mechanisms.
- Uncontrolled access to the storage mechanism: An attacker with unfettered access to the storage system can manipulate data in unpredictable ways, including erasing or tampering with stored secrets. Furthermore, the attacker could potentially implement state rollbacks to favor their objectives.
- Disclosure of secret presence: If an adversary gains read access to the storage backend, they might discern the existence of certain secrets, even if the actual contents remain encrypted and concealed.
- Runtime memory intrusion: An attacker with capabilities to probe the memory state of a live instance of Infisical can potentially compromise data confidentiality.
- Vulnerabilities in affiliated systems: Some functionality may rely on third-party services and dependencies. Security lapses in these dependencies can indirectly jeopardize the confidentiality or integrity of the secrets.
- Breaches via compromised clients: If a system or application accessing Infisical is compromised, and its credentials to the platform are exposed, an attacker might gain access at the privilege level of that compromised entity.
- Configuration tampering by administrators: Any configuration data, whether supplied through admin interfaces or configuration files, needs scrutiny. If an attacker can manipulate these configurations, it poses risks to data confidentiality and integrity.
- Physical access to deployment infrastructure: An attacker with physical access to the servers or infrastructure where Infisical is deployed can potentially compromise the system in ways that are challenging to guard against, such as direct hardware tampering or booting from malicious media.
- Social engineering attacks on personnel: Attacks that target personnel, tricking them into divulging sensitive information or performing compromising actions, fall outside the platform’s direct defensive purview.
External threat overview
Infisical’s architecture consists of various systems which together we refer to as the Infisical platform:- Server: The Infisical API that serves requests.
- Clients: The Web UI and other applications that send requests to the server.
- Storage backend: PostgreSQL used by the server to persist data.
- Redis: Used by Infisical for caching, queueing and cron job scheduling.
Internal threat overview
Within Infisical, an internal threat and critical security concern is an attacker gaining access to sensitive data that they are not permitted to, especially if they are able to authenticate with some degree of access to the system. Before a client can perform any actions on the platform, it must authenticate with the server using a supported authentication method such as username-password, SAML, SSO, LDAP, AWS/GCP/Azure, OIDC, or Kubernetes authentication. A successful authentication results in the issuance of a client (JWT) token containing a reference to the user or machine identity bound to it. When a client uses the token to make authenticated requests against the server, Infisical validates the token and maps the bound-identity to access control policies that exist at the organization and project level, both types of namespaces within the platform. The access control policies are configured by operators of Infisical ahead of time and may involve role-based, attribute-based, and one-off “additional privilege” resource constraints. Given the robustness of the access control system, we recommend reading the full documentation for it. For example, an operator of Infisical may define the following constraints to restrict client access to particular resources:- Read and write access to a secret resource via an additional privilege attached to the bound-identity.
- Read-only access to a secret resource via one or multiple roles attached to the bound-identity.
- Read-only access to a secret resource via a group membership for which the associated bound-identity is part of; the group itself is assigned one or multiple roles with access to the secret resource.
Cryptography
Overview
All symmetric encryption operations in Infisical, with the exception of those proxied through External KMS and HSM systems, use a software-backed 256-bit Advanced Encryption Standard (AES) cipher in Galois Counter Mode (GCM) with 96-bit nonces, AES-256-GCM. This authenticated encryption scheme provides both confidentiality and integrity guarantees for all encrypted data. Infisical employs a multilayer encryption architecture where keys are organized hierarchically. Each layer encrypts the layer below it, ensuring that accessing any sensitive data requires both server configuration (the root encryption key) and data from the storage backend. This defense-in-depth approach means that compromising the database alone is insufficient to decrypt sensitive data.Key Hierarchy
The following diagram illustrates Infisical’s key hierarchy, showing how encryption keys are organized and how they protect data at different levels of the platform.Root Encryption Key
The root encryption key is a 256-bit AES key provided by the operator as an environment variable. This key is the foundation of Infisical’s encryption architecture and never leaves the server’s memory during operation. Key characteristics:- Size: 256-bit AES key, provided as an environment variable
- Source: Operator-provided environment variable
- Purpose: Encrypts the Internal KMS Root Key
- Storage: Exists as an environment variable accessible by the Infisical runtime.
Internal KMS Root Key
The Internal KMS Root Key is automatically generated when an Infisical instance starts for the first time. This key serves as an intermediate layer between the operator-provided root key and tenant-specific data keys. Key characteristics:- Size: 256-bit AES
- Generation: Cryptographically secure random bytes via Node.js’s core cryptographic library.
- Purpose: Encrypts all organization and project data keys
- Storage: Encrypted at rest using the Root Encryption Key and stored in the database
Organization & Project Data Keys
Data keys are the encryption keys that directly protect sensitive data within Infisical. Each organization and each project has its own dedicated data key, providing cryptographic isolation between tenants. Organization Data Keys protect organization-level sensitive data, including:- SSO and SAML configurations
- Machine Identities
- SCIM provisioning settings
- Organization-level integrations and credentials
- Secrets and dynamic secret credentials
- Certificates and private keys
- Database credentials and connection strings
- API keys and authentication tokens
- Size: 256-bit AES
- Generation: Cryptographically secure random bytes via Node.js’s core cryptographic library
- Scope: One key per organization, one key per project
- Storage: Encrypted at rest using the Internal KMS Root Key and stored in the database
Encryption Operations
- Storing Data
- Retrieving Data
When sensitive data needs to be stored, Infisical performs the following operations:
- Key Retrieval: The appropriate data key (organization or project) is retrieved from the database in its encrypted form.
- Key Decryption: The encrypted data key is decrypted using the Internal KMS Root Key.
- Data Encryption: The plaintext data is encrypted using the decrypted data key with AES-256-GCM and a randomly generated 96-bit nonce.
- Storage: The ciphertext, along with the nonce and authentication tag, is stored in the database.
Key Generation
All cryptographic keys in Infisical are generated using Node.js’s core cryptographic library, which provides cryptographically secure pseudo-random data. When FIPS mode is enabled, this library is guaranteed to use FIPS-validated cryptographic implementations.External KMS Integration
For organizations with specific compliance requirements or those who need to maintain control over their encryption keys, Infisical supports integration with external Key Management Systems. When configured, project data keys can be encrypted by an external KMS instead of the Internal KMS Root Key. Supported external KMS providers include: For detailed configuration instructions, see the KMS Configuration documentation.FIPS Compliance
Infisical can be deployed in a FIPS-compliant configuration, using FIPS 140-3 validated cryptographic modules for all encryption operations within the FIPS boundary. When FIPS mode is enabled:- All cryptographic operations within the FIPS boundary use FIPS-validated implementations
- Key generation uses FIPS-approved random number generators
- External HSM integration is available for root key protection
Infrastructure & High availability (Infisical Cloud)
Infisical Cloud uses a number of strategies to keep services running smoothly and ensure data stays available, even during failures; we document these strategies below:- Multi-AZ AWS RDS: Infisical Cloud runs AWS Relational Database Service (RDS) with Multi-AZ deployments to improve availability and durability. This setup keeps a standby replica in a different Availability Zone (AZ) and automatically fails over if the primary instance goes down. Continuous backups and replication help protect data and minimize interruptions.
- Multi-AZ ElastiCache (Redis): For caching, Infisical Cloud runs Amazon ElastiCache (Redis) in a Multi-AZ setup. This means data is replicated across different AZs, so if one goes down, the system can automatically fail over to a healthy node. This helps keep response times low and ensures caching stays reliable.
- Multi-AZ ECS for Container Orchestration: Infisical Cloud runs on Amazon Elastic Container Service (ECS) across multiple availability zones, making sure containers stay available even if an AZ fails. If one zone has an issue, traffic automatically shifts to healthy instances in other zones, keeping downtime to a minimum.
Cross-Region Replication for Disaster Recovery (Infisical Cloud)
To handle regional failures, Infisical Cloud keeps backups both within AWS and across cloud providers in GCP updated and ready to take over when needed.- ElastiCache (Redis): Data is replicated across regions using AWS Global Datastore, keeping cached data consistent and available even if a primary region goes down.
- RDS (PostgreSQL): Cross-region read replicas ensure database data is available in multiple AWS locations, with additional replication to GCP for multi-cloud disaster recovery, allowing for failover in case of a regional outage or cloud provider issues.
Penetration testing
Infisical hires external third parties to perform regular security assessment and penetration testing of the platform. Most recently, Infisical commissioned cybersecurity firm Cure53 to perform a full-coverage, gray box penetration test against the platform’s entire attack surface to identify vulnerabilities according to industry standards (OWASP, ASVS, WSTG, TOP-10, etc.). Please email [email protected] to request any reports including a letter of attestation for the conducted penetration test.Employee data access
Whether or not Infisical or your employees can access data in the Infisical instance and/or storage backend depends on many factors how you use Infisical:- Infisical Self-Hosted: Self-hosting Infisical is common amongst organizations that prefer to keep data on their own infrastructure usually to adhere to strict regulatory and compliance requirements. In this option, organizations retain full control over their data and therefore govern the data access policy of their Infisical instance and storage backend.
- Infisical Cloud: Using Infisical’s managed service, Infisical Cloud means delegating data oversight and management to Infisical. Under our policy controls, employees are only granted access to parts of infrastructure according to principle of least privilege; this is especially relevant to customer data can only be accessed currently by executive management of Infisical. Moreover, any changes to sensitive customer data is prohibited without explicit customer approval.