Infisical is an open-source, end-to-end encrypted secrets management platform for storing and syncing application secrets across teams and environments. It uses PostgreSQL for persistence and Redis for caching. This guide deploys Infisical using Docker Compose with Traefik handling automatic HTTPS. By the end, you'll have a production-ready Infisical instance accessible securely at your domain.
Set Up the Directory Structure and Secrets
1. Create the project directory structure:
$ mkdir -p ~/infisical/{db,redis,letsencrypt}
$ cd ~/infisical
2. Generate the encryption key and auth secret:
$ openssl rand -hex 16
$ openssl rand -base64 32
Note both values — the first is the ENCRYPTION_KEY, the second is the AUTH_SECRET.
3. Create the environment file:
$ nano .env
INFISICAL_DOMAIN=infisical.example.com
LETSENCRYPT_EMAIL=admin@example.com
ENCRYPTION_KEY=HEX_KEY_HERE
AUTH_SECRET=BASE64_SECRET_HERE
POSTGRES_USER=infisical
POSTGRES_PASSWORD=STRONG_DB_PASSWORD
POSTGRES_DB=infisicaldb
DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
REDIS_URL=redis://redis:6379
Deploy with Docker Compose
1. Add your user to the Docker group:
$ sudo usermod -aG docker $USER
$ newgrp docker
2. Create the Docker Compose manifest:
$ nano docker-compose.yml
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
environment:
DOCKER_API_VERSION: "1.44"
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.le.acme.httpchallenge=true"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL}"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
db:
image: postgres:16-alpine
container_name: infisical-db
restart: unless-stopped
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=${POSTGRES_DB}
volumes:
- ./db:/var/lib/postgresql/data
redis:
image: redis:7-alpine
container_name: infisical-redis
restart: unless-stopped
infisical:
image: infisical/infisical:latest
container_name: infisical
restart: unless-stopped
depends_on:
- db
- redis
environment:
- ENCRYPTION_KEY=${ENCRYPTION_KEY}
- AUTH_SECRET=${AUTH_SECRET}
- DB_CONNECTION_URI=${DB_CONNECTION_URI}
- REDIS_URL=${REDIS_URL}
- SITE_URL=https://${INFISICAL_DOMAIN}
labels:
- "traefik.enable=true"
- "traefik.http.routers.infisical.rule=Host(`${INFISICAL_DOMAIN}`)"
- "traefik.http.routers.infisical.entrypoints=websecure"
- "traefik.http.routers.infisical.tls=true"
- "traefik.http.routers.infisical.tls.certresolver=le"
- "traefik.http.services.infisical.loadbalancer.server.port=8080"
3. Start the services:
$ docker compose up -d
4. Verify the services are running:
$ docker compose ps
Complete the Setup
- Open
https://infisical.example.comin a browser. - Create the Super Admin account with your email and a strong password.
- Sign in to access the dashboard.
Next Steps
Infisical is running and served securely over HTTPS. From here you can:
- Create projects and organize secrets by environment
- Integrate the Infisical CLI or SDKs into your applications and CI/CD
- Configure secret rotation, access policies, and audit logs
For the full guide with additional tips, visit the original article on Vultr Docs.
Top comments (0)