Skip to main content
This document provides specific security hardening recommendations for production Infisical deployments. These recommendations follow Infisical’s security model and focus on defense in depth. Choose your deployment method below and follow the recommendations for your specific setup. Start with Universal Security Fundamentals that apply to all deployments, then follow your deployment-specific section.

Universal Security Fundamentals

These security configurations apply to all Infisical deployments regardless of how you deploy.

Cryptographic Security

Generate Secure Keys

Generate strong cryptographic keys for your deployment:

Configure Token Lifetimes

Minimize exposure window for compromised tokens:

Network Security

TLS Configuration

Configure HTTPS and secure database connections:

Redis Security

Use authentication and TLS for Redis:

Network Access Controls

Configure network restrictions and firewall rules:

Server-Side Request Forgery (SSRF) Protection

Outbound requests to user-configured destinations (App Connections, Webhooks, Audit Log Streams, Dynamic Secrets, PKI Discovery, and similar) run through an SSRF-safe HTTP client that validates the destination and pins the connection to the validated IP. Keep these controls in mind when hardening egress: Reaching private resources: prefer the Gateway. To integrate with services on an internal/private network, deploy the Gateway rather than opening internal IP ranges on the Infisical instance. The Gateway runs inside your network and tunnels traffic over an mTLS connection, so no internal IP allowlisting is required and SSRF protection on the instance stays fully enabled. Opening internal IPs: scope it as narrowly as possible. For the features that egress directly (without a Gateway), private-IP access is disabled by default. When you must allow it, prefer the per-feature flags over the global switch, and understand that enabling any of these also disables DNS-rebinding pin protection for that path:
Force direct egress to preserve the IP pin. If your instance does not rely on an outbound forward proxy, enable SAFE_REQUEST_FORCE_DIRECT_EGRESS so requests cannot be routed through an ambient HTTP_PROXY / HTTPS_PROXY that would re-resolve the target and bypass the validated-IP pin. It is false by default (Infisical Cloud enables it through its own deployment configuration); set it explicitly for hardened self-hosted deployments that do not use an egress proxy:
Implement network firewalls. Restrict network access to only necessary services:
  • Required ports: Infisical API (8080) and HTTPS (if applicable)
  • Database access: Restrict PostgreSQL and Redis to authorized sources only
  • Principle: Default deny incoming, allow only required traffic
  • Implementation: See your deployment-specific section below for exact configuration

Application Security

Site Configuration

Set proper site URL for your Infisical instance:

Public Signups Are Disabled After Admin Setup

Leaving self-service signups open on a publicly reachable instance means anyone can create an account without an invitation, which widens your attack surface. Several features let an authenticated user configure outbound requests to destinations they supply (App Connections, Webhooks, Audit Log Streams, Dynamic Secrets, and similar). Infisical already routes these through an SSRF-safe client that blocks internal and private IP ranges by default (see SSRF Protection above). Restricting who can reach those features limits exposure if that protection is ever relaxed (for example a permissive ALLOW_INTERNAL_IP_CONNECTIONS).
On a self-hosted instance, self-service signups are disabled by default once the first super admin account is created. No configuration is required to get this hardened default. You can still invite users to your organization, and to provision additional users, prefer organization invitations over public signup. If you operate a trusted, internal instance and deliberately want open signups, re-enable them from the Admin Console → Authentication settings by setting Allow user signups to Anyone. The same control lets you disable signups again at any time.
This hardened default applies to new installations only. It takes effect when the first super admin account is created, so an instance that was already initialized before upgrading keeps its existing Allow user signups setting (open by default). If you run an existing self-hosted instance, verify this in Admin Console → Authentication and set Allow user signups to Disabled if you want the hardened behavior.

SMTP Security

Use TLS for email communications:

Privacy Configuration

Control telemetry and data collection:

Database Security

High Availability Configuration

Configure database read replicas for high availability PostgreSQL setups:

Operational Security

User Access Management

Establish user off-boarding procedures. Remove access promptly when users leave:
  1. Remove user from organization
  2. Revoke active service tokens
  3. Remove from external identity providers
  4. Audit access logs for the user’s activity
  5. Rotate any shared secrets the user had access to

Maintenance and Updates

Keep frequent upgrade cadence. Regularly update to the latest Infisical version for your deployment method.

Deployment-Specific Hardening

Docker Deployment

These recommendations are specific to Docker deployments of Infisical.

Container Security

Use read-only root filesystems. Prevent runtime modifications while allowing necessary temporary access:
Note: Infisical requires temporary directory access for:
  • Secret scanning operations
  • SSH certificate generation and validation
The --tmpfs mounts provide secure, isolated temporary storage that is:
  • Automatically cleaned up on container restart
  • Limited in size to prevent disk exhaustion
  • Isolated from the host system
  • Wiped on container removal
Drop unnecessary capabilities. Remove all Linux capabilities:
Use specific image tags. Never use latest tags in production:

Resource Management

Set resource limits. Prevent resource exhaustion attacks:

Health Monitoring

Configure health checks. Set up Docker health checks:

Network Security

Host firewall configuration. Configure host-level firewall for Docker deployments:

Maintenance

Regular updates. Monitor Docker Hub for new releases and update your image tags regularly.

Kubernetes Deployment

These recommendations are specific to Kubernetes deployments of Infisical.

Pod Security

Use Pod Security Standards. Apply restricted security profile:
Configure security context. Set comprehensive security context:

Network Security

Configure network policies. Restrict pod-to-pod communication:
Infrastructure firewall considerations. In addition to the universal host firewalls, implement infrastructure-level security: For cloud deployments (AWS Security Groups, Azure NSGs, or GCP Firewall Rules):
  • Allow ingress from load balancer to NodePort/ClusterIP service
  • Allow egress to managed databases
  • Block all other traffic
For on-premises deployments, ensure node-level firewalls allow:
  • Ingress traffic from ingress controllers
  • Egress traffic to external services (databases, SMTP)

Access Control

Use dedicated service accounts. Create service accounts with minimal permissions:

Ingress Security

Configure ingress with TLS. Set up secure ingress:

Secret Management

Use Kubernetes secrets. Store sensitive configuration securely:
Note: Kubernetes secrets are only base64-encoded by default and are not encrypted at rest unless you explicitly enable etcd encryption. For production environments, you should:
  • Enable etcd encryption at rest to protect secrets stored in the cluster
  • Limit access to etcd and Kubernetes API to only trusted administrators

Health Monitoring

Set up health checks. Configure readiness and liveness probes:

Infrastructure Considerations

Use managed databases (if possible). For production deployments, consider using managed PostgreSQL and Redis services instead of in-cluster instances when feasible, as they typically provide better security, backup, and maintenance capabilities.

Maintenance

Regular updates. Monitor Docker Hub for new releases and update your deployment manifests with new image tags regularly.

Linux Package (infisical-ctl) Deployment

These recommendations are specific to deployments using the Infisical Linux package, which is managed by the infisical-ctl CLI tool.

Built-in Security Features

The Infisical Linux package (omnibus) includes several security measures out of the box:
  • Privilege dropping: The package uses chpst to automatically drop the running application process from root to the dedicated infisical user. You do not need to configure this manually.
  • Service supervision: Services are managed by runsvdir, which provides automatic process supervision and restart.
  • Structured directories: Application files, data, and logs are organized under standard paths (/opt/infisical-core, /var/opt/infisical-core, /var/log/infisical-core).

systemd Hardening

The infisical-core package ships a systemd unit (infisical-runsvdir.service) that starts the runsvdir process supervisor. You can apply additional hardening using a systemd drop-in override without modifying the original unit file:
Add the following content to the override file:
After saving, reload systemd and restart the service:
Do not set User= or Group= in the systemd override. The Infisical omnibus package uses chpst internally to drop privileges to the infisical user. Setting these directives in systemd will conflict with chpst and break the service.
Do not enable ProtectKernelTunables=true. The runsvdir-start script adjusts /proc/sys/fs/file-max at startup. Enabling this setting makes /proc/sys read-only, which will cause errors. While the service may still start, it will log warnings and may not perform optimally.

Configuration Security

Secure the configuration file. The infisical.rb file contains sensitive credentials and should be properly protected:
Use secure values in configuration. Generate strong cryptographic keys:
After making configuration changes, apply them with:

File Permissions

Verify directory permissions. Ensure proper ownership on application directories:

System Security

Disable memory swapping. Prevent sensitive data from being written to disk:
Disable core dumps. Prevent potential exposure of encryption keys:
Synchronize system clocks. Ensure accurate time for JWT token validation and audit log timestamps:

Network Security

Host firewall configuration. Configure comprehensive firewall for Linux package deployments:

Health Monitoring

Monitor service health. Use infisical-ctl to monitor the service:

Maintenance

Regular updates. Monitor Infisical releases for new package versions. Update using your package manager:
After updating, apply the new version:

Enterprise Security Features

Hardware Security Module (HSM) Integration

For the highest level of encryption security, integrate with Hardware Security Modules: HSM integration provides hardware-protected encryption keys stored on tamper-proof devices, offering superior security for encryption operations:
  • Supported HSM Providers: Thales Luna Cloud HSM, AWS CloudHSM, Fortanix HSM
  • Root Key Protection: HSM encrypts Infisical’s root encryption keys using hardware-protected keys
  • Enterprise Requirements: Ideal for government, financial, and healthcare organizations
For complete HSM setup instructions, see the HSM Integration Guide.

External Key Management Service (KMS) Integration

Leverage cloud-native KMS providers for enhanced security and compliance: Infisical can integrate with external KMS providers to encrypt project secrets, providing enterprise-grade key management:
  • Supported Providers: AWS KMS, Google Cloud KMS, Azure Key Vault (coming soon)
  • Workspace Key Protection: Each project’s encryption key is protected by your external KMS
  • Envelope Encryption: Infisical uses your cloud KMS to encrypt/decrypt project workspace keys, which in turn encrypt the actual secret data
  • Compliance: Leverage your cloud provider’s compliance certifications (FedRAMP, SOC2, ISO 27001)

Benefits for Production Deployments

  • Separation of Concerns: Keys managed in your cloud infrastructure, separate from Infisical
  • Regulatory Compliance: Use your existing compliance-certified KMS infrastructure
  • Audit Integration: KMS operations logged in your cloud provider’s audit trails
  • Disaster Recovery: Keys backed by your cloud provider’s HA and backup systems
  • Access Controls: Leverage your cloud IAM for KMS access management

Configuration Resources

For external KMS configuration, see:

Advanced Security Configurations

Backup Security

Configure backup encryption. Encrypt PostgreSQL backups:

Monitoring and Logging

Implement log monitoring. Set up centralized logging for security analysis and audit trails. Configure your SIEM or logging platform to monitor Infisical operations.

Security Updates

Regular security updates. Monitor the Infisical repository for security updates and apply them promptly.

Compliance and Monitoring

Enterprise Compliance Requirements

For enterprise deployments requiring compliance certifications:
  • Implement audit log retention policies
  • Set up security event monitoring and alerting
  • Configure automated vulnerability scanning
  • Establish incident response procedures
  • Document security controls for compliance audits

Standards Compliance

FIPS 140-3 Compliance

Infisical is compliant with FIPS 140-3, meeting U.S. and Canadian government cryptographic standards through validated cryptographic modules. This certification is designed for organizations that require government-approved encryption implementations. To deploy a FIPS-compliant instance, use the infisical/infisical-fips Docker image, available to Enterprise customers. Our FIPS 140-3 attestation letter is available in the Infisical Trust Center.

SOC 2 Compliance

Infisical is SOC 2 compliant, demonstrating adherence to rigorous security, availability, and confidentiality standards established by the American Institute of CPAs (AICPA). This certification validates our security controls and operational practices for organizations requiring third-party audited security assurance. Our SOC 2 report is available in the Infisical Trust Center.

HIPAA Compliance

Infisical is HIPAA compliant, meeting the security and privacy requirements of the Health Insurance Portability and Accountability Act. This compliance framework ensures appropriate safeguards for protected health information (PHI) for healthcare organizations and their business associates. Our HIPAA certification is available in the Infisical Trust Center.