Security hardening recommendations for production Infisical deployments
This document provides specific security hardening recommendations for production Infisical deployments. These recommendations follow Infisical’s security model and focus on defense in depth.Choose your deployment method below and follow the recommendations for your specific setup. Start with Universal Security Fundamentals that apply to all deployments, then follow your deployment-specific section.
# Enable HTTPS (recommended for production)HTTPS_ENABLED=true# Secure PostgreSQL connection with SSLDB_CONNECTION_URI="postgresql://user:pass@host:5432/db?sslmode=require"# For base64-encoded SSL certificateDB_ROOT_CERT="<base64-encoded-certificate>"
# Redis with TLS (if supported by your Redis deployment)REDIS_URL="rediss://user:password@redis:6380"# Redis Sentinel configuration for high availabilityREDIS_SENTINEL_HOSTS="192.168.65.254:26379,192.168.65.254:26380"REDIS_SENTINEL_MASTER_NAME="mymaster"REDIS_SENTINEL_ENABLE_TLS=trueREDIS_SENTINEL_USERNAME="sentinel_user"REDIS_SENTINEL_PASSWORD="sentinel_password"
Configure network restrictions and firewall rules:
Copy
Ask AI
# Limit CORS to specific domainsCORS_ALLOWED_ORIGINS=["https://your-app.example.com"]# Prevent connections to internal/private IP addresses# This blocks access to internal services like metadata endpoints,# internal APIs, databases, and other sensitive infrastructureALLOW_INTERNAL_IP_CONNECTIONS=false
Implement network firewalls. Restrict network access to only necessary services:
Required ports: Infisical API (8080) and HTTPS (if applicable)
Database access: Restrict PostgreSQL and Redis to authorized sources only
Principle: Default deny incoming, allow only required traffic
Implementation: See your deployment-specific section below for exact configuration
# SMTP with TLSSMTP_HOST="smtp.example.com"SMTP_PORT="587"SMTP_USERNAME="your-smtp-user"SMTP_PASSWORD="your-smtp-password"SMTP_REQUIRE_TLS=trueSMTP_IGNORE_TLS=falseSMTP_FROM_ADDRESS="[email protected]"SMTP_FROM_NAME="Infisical"
Note: Kubernetes secrets are only base64-encoded by default and are not encrypted at rest unless you explicitly enable etcd encryption. For production environments, you should:
Use managed databases (if possible). For production deployments, consider using managed PostgreSQL and Redis services instead of in-cluster instances when feasible, as they typically provide better security, backup, and maintenance capabilities.
Configure systemd service. Create a secure systemd service:
Copy
Ask AI
# /etc/systemd/system/infisical.service[Unit]Description=Infisical Secret ManagementAfter=network.target[Service]Type=simple# IMPORTANT: Change from default 'root' user to dedicated service accountUser=infisicalGroup=infisicalWorkingDirectory=/opt/infisicalExecStart=/opt/infisical/infisical-linux-amd64Restart=alwaysRestartSec=10# Security settingsNoNewPrivileges=trueProtectSystem=strictProtectHome=trueReadWritePaths=/opt/infisicalPrivateTmp=trueProtectKernelTunables=trueProtectKernelModules=trueProtectControlGroups=trueRestrictSUIDSGID=trueLimitCORE=0MemorySwapMax=0# Environment fileEnvironmentFile=/etc/infisical/environment[Install]WantedBy=multi-user.target
Host firewall configuration. Configure comprehensive firewall for Linux binary deployments:
Copy
Ask AI
# Configure UFW firewallsudo ufw default deny incomingsudo ufw default allow outgoing# Allow Infisical API accesssudo ufw allow 8080/tcp# Allow HTTPS (if terminating TLS at Infisical)sudo ufw allow 443/tcp# If running PostgreSQL locally, restrict to localhostsudo ufw allow from 127.0.0.1 to any port 5432# If running Redis locally, restrict to localhostsudo ufw allow from 127.0.0.1 to any port 6379# Enable firewallsudo ufw --force enable
For the highest level of encryption security, integrate with Hardware Security Modules:HSM integration provides hardware-protected encryption keys stored on tamper-proof devices, offering superior security for encryption operations:
Leverage cloud-native KMS providers for enhanced security and compliance:Infisical can integrate with external KMS providers to encrypt project secrets, providing enterprise-grade key management:
Implement log monitoring. Set up centralized logging for security analysis and audit trails. Configure your SIEM or logging platform to monitor Infisical operations.
FIPS 140-3 Compliance. Infisical is actively working on FIPS 140-3 compliance to meet U.S. and Canadian government cryptographic standards. This will provide validated cryptographic modules for organizations requiring certified encryption implementations.