Self Host Infisical with Docker Compose

Infisical is an open-source security infrastructure platform with everything from secrets to certificates and privileged access management. It can handle every API key, database credential, TLS cert, and SSH credential that your team touches. Fully encrypted and fully self-hosted on your own hardware. Today, I'm going to walk you through setting it up step by step from zero to a running instance using Docker Compose. And we're going to do it on my local MacBook just to show you how lightweight it is. Let's get into it.

So, why self-host Infisical? Primarily because your data stays on your infrastructure. It never leaves your network, and for a lot of teams that's a hard requirement. And if you're not concerned with self-hosting and you want to get up and running even faster, Infisical also has a managed cloud option. You can create an account and start using it immediately at app.infisical.com.

Now, I want to be upfront about what we're building today. This is a single node instance using Docker Compose. It is not a high availability production deployment. This is perfect if you're evaluating the platform, running a home lab, working on a small team, or if you're building a proof of concept before going bigger.

Before we spin anything up, let's quickly talk about what we're actually installing. If you want to skip straight to the setup, I'll leave a timestamp in the description, but I really think this is worth understanding.

When you self-host Infisical, there are actually three core components working together.

First, the Infisical server itself. This is the core of the platform. It's a single Docker image that bundles both the backend API and the web UI that you'll be interacting with in the browser.

Second, PostgreSQL, the database. This is where all your data actually lives. Your encrypted secrets, user accounts, projects, audit logs — all of it is stored in Postgres. The Infisical server itself is stateless. Postgres is the source of truth.

Third, we have Redis. Redis handles caching and background tasks. It keeps things fast and responsive. Unlike Postgres, the data in Redis is regenerable. If it resets, everything rebuilds on its own. So it's not critical data.

And that's the whole stack. Three components. In our case, we're going to run each one as a Docker container using Docker Compose. The Infisical server talks with Postgres for data, Redis for caching, and you interact with the whole thing through your browser.

And because the Infisical server itself is stateless, all your data lives in Postgres. Scaling this is the same as any other web application. When you're ready for high availability, you just run multiple instances of Infisical behind a load balancer. And if you've deployed a Postgres-backed app before, you already know how to deploy Infisical. There's nothing proprietary to learn.

Let's get it set up. Okay, let's actually install this. The first thing I'm going to do is exactly what most people would do if they were setting this up for the first time. I'm going to Google "Infisical Docker Compose." Here we go.

Now, this page walks through the exact setup we're about to do. I'm going to follow these instructions step by step. So if you're watching this later, you can follow along as well.

Now the first prerequisite is Docker. Since I'm on macOS, the easiest way is to use Docker Desktop. Google "Docker Mac." You can also install Docker Engine via Homebrew. And I'm going to link this page in the description so you can follow along.

So let's run brew install docker. The install steps are very straightforward. I've already got Docker installed on this MacBook. So let's just confirm everything's working. We'll run docker version and docker compose version.

Next, we're going to grab the two files that Infisical provides for the Docker setup. We use curl and we'll grab this command, paste it in. And this first file is the Docker Compose stack. And the second file is the environment variable configuration that the Infisical container uses. So, we'll grab that, paste it in.

Okay. Now, before we start the containers, we need to generate a couple of super secure keys. It says once downloaded, the credentials file will be saved to your working directory as a .env file. View configurations here. I'm going to click here.

Now these keys that are required by Infisical are the encryption key and the auth secret. So I can generate this encryption key using openssl rand -hex 16. This key is used to encrypt and decrypt your secrets at rest in the database. And if you lose this key, your encrypted secrets become unrecoverable. So in a real deployment, you'd want to back this up somewhere super safe.

Next, we generate the authentication secret using openssl rand -base64 32. This is the auth secret and it's used to sign authentication tokens. Copy that over here and again save this value somewhere safe.

Okay. Now let's open the .env file. You'll notice there are quite a lot of variables in here. Most of them are optional. There's only a few that we really care about for this setup.

First is that encryption key. I'll paste in the key that we just generated. Next will be auth secret. And I'll paste in the base64 value we just generated.

Now let's talk about the DB connection URI. The default value looks like this. And this works automatically because the Docker Compose file creates a Postgres container named DB. And the default username and password are both "infisical." For testing or home lab use, that's fine. For any real deployment with actual values, you absolutely want to change these.

Next is Redis. By default, it points here to Redis with port 6379. Just like Postgres, Docker Compose spins up a Redis container called Redis. So this works automatically. And again, unlike Postgres, Redis doesn't store any critical long-term data.

So next, we need to set the site URL. This should be whatever URL your users are going to use to access Infisical. Since I'm running this locally, I'm just going to leave it at localhost:80.

You'll also see some optional variables here, like for example, SMTP configuration, if you want email invites or password reset emails. These are not required for basic functionality, so we're just going to leave them alone for now. So we're going to save this and exit.

And now we can start the stack. We also have a note here that we're going to protect access to this .env file. Changing permissions. We'll run that really quickly. We'll copy this command.

Docker will now pull the images and start the containers. And a quick note — if you're following along on your local machine, you're going to want at least two CPU cores and 4 GB of RAM. Any modern MacBook is going to work great.

Now that that's run, we're going to check that our containers are running. And we should see three containers. We have the Infisical backend — that's the Infisical server. We have Postgres and then we have Redis.

Now we're going to hit the health endpoint. And we should see something in here like "message: OK." This means that Infisical is connected to Postgres and Redis and the application is ready.

Let's open our browser and go to localhost, and there it is — the Infisical signup page. Now starting out, the first person to create an account automatically becomes the instance administrator. That's you if you're following along.

So, let's create that account and we'll continue. Once we're in, we land on /admin. This is the server admin panel. This is where we're going to manage the Infisical instance itself, not our secrets. From here, you can control things like whether new users can sign up. You can manage user accounts across the instance. You can configure authentication methods. And we can set default organization settings. This is server-level administration.

Now, if we click this arrow, we go back to the main dashboard. This is the day-to-day experience as an Infisical user. So, we have projects within our organization. Let's create a quick project and then add a secret so that we can see the flow.

We're going to call this "My Secrets." This is a secrets management project. And each project has these environments: development, staging, and production. And your secrets live inside those environments. We'll add a secret — "my secret from Infisical."

Okay, so that's our secret — encrypted at rest, access controlled, auditable.

Let me show you what this means in practice. Let's say you have a simple Node app and your Node app is just one line. It just reads an environment variable and then it logs it to the console. Let's run it without Infisical first because it has no .env file to actually read this variable from. So we can see there's nothing there.

Now let's install the Infisical CLI, and I will link these docs in the description as well. Google "Infisical CLI." Run this.

We're going to run infisical login with the domain of http://localhost:80. That'll take us here. We'll copy this. Head back to the terminal. Paste it in. Okay. So, we have "Welcome to Infisical. You're now logged in." And so, all of our commands know to talk to our self-hosted instance.

I'm going to set the Infisical API URL. Set that to our domain. So now we don't have to pass the domain flag on every command.

Next, from inside our project folder, we initialize it. I'm going to run infisical init. Now, I already have a workspace config file because I've done this before, but I'm going to override it. And this links the folder to the project we just created in our dashboard. I'm going to choose my org, admin, my project, "My Secrets."

Okay. And now we can run infisical run --env=dev -- node index.js. And we can see the Infisical CLI pulled the secret from our instance and injected it as an environment variable at runtime. We don't have a .env file or hard-coded credentials anywhere or anything to accidentally commit to git. Your secrets live on your infrastructure and then they get injected only when you need them.

Now this is just one way to pull secrets. The CLI is great for local development, but Infisical also has SDKs for Node, Python, Go, and many more if you want to fetch secrets directly into your application code. And then for deployed environments, you can set up native integrations that sync secrets straight to ECS. Then we can also sync to GitHub Actions, Kubernetes — you name it.

Now the key distinction to remember is that the admin console at /admin is for managing the Infisical server, and the dashboard is for managing your actual secrets and projects. Two different layers.

And one more thing — if you already have your own Postgres and Redis running somewhere, you don't need the full Docker Compose stack. You can run Infisical as a single container. We'll just run this and point it at your existing databases and you're done.

Infisical has a Kubernetes Helm chart and reference architectures for AWS ECS, GCP Cloud Run, and on-prem Kubernetes. I'll link those below as well.

And for best practices — backing up your database and encryption key, setting up HTTPS, and pinning your Docker image version — we've got a dedicated page in the docs that covers all of it. I'll link that as well.

That's it. A full Infisical instance running locally on your laptop. In future videos, we'll get into production-grade deployments, high availability, Kubernetes — the works. So, make sure to subscribe if you don't want to miss those. And if you run into issues while you're setting this up, the Infisical docs and our community Slack is a great first place to go. I'll put all the commands mentioned and the docs linked in the description. We'll see you guys in the next one.