ContextQMD
Back to Infisical

Production Hardening

docs/self-hosting/guides/production-hardening.mdx

0.159.2522.7 KB
Original Source

This document provides specific security hardening recommendations for production Infisical deployments. These recommendations follow Infisical's security model and focus on defense in depth.

Choose your deployment method below and follow the recommendations for your specific setup. Start with Universal Security Fundamentals that apply to all deployments, then follow your deployment-specific section.

Universal Security Fundamentals

These security configurations apply to all Infisical deployments regardless of how you deploy.

Cryptographic Security

Generate Secure Keys

Generate strong cryptographic keys for your deployment:

bash
# Required - Generate secure encryption key
ENCRYPTION_KEY=$(openssl rand -hex 16)

# Required - Generate secure auth secret
AUTH_SECRET=$(openssl rand -base64 32)

Configure Token Lifetimes

Minimize exposure window for compromised tokens:

bash
# JWT token configuration (adjust based on security requirements)
JWT_AUTH_LIFETIME=15m        # Authentication tokens
JWT_REFRESH_LIFETIME=24h     # Refresh tokens
JWT_SERVICE_LIFETIME=1h      # Service tokens

Network Security

TLS Configuration

Configure HTTPS and secure database connections:

bash
# Enable HTTPS (recommended for production)
HTTPS_ENABLED=true

# Secure PostgreSQL connection with SSL
DB_CONNECTION_URI="postgresql://user:pass@host:5432/db?sslmode=require"

# For base64-encoded SSL certificate
DB_ROOT_CERT="<base64-encoded-certificate>"

Redis Security

Use authentication and TLS for Redis:

bash
# Redis with TLS (if supported by your Redis deployment)
REDIS_URL="rediss://user:password@redis:6380"

# Redis Sentinel configuration for high availability
REDIS_SENTINEL_HOSTS="192.168.65.254:26379,192.168.65.254:26380"
REDIS_SENTINEL_MASTER_NAME="mymaster"
REDIS_SENTINEL_ENABLE_TLS=true
REDIS_SENTINEL_USERNAME="sentinel_user"
REDIS_SENTINEL_PASSWORD="sentinel_password"

Network Access Controls

Configure network restrictions and firewall rules:

bash
# Limit CORS to specific domains
CORS_ALLOWED_ORIGINS=["https://your-app.example.com"]

# Prevent connections to internal/private IP addresses
# This blocks access to internal services like metadata endpoints,
# internal APIs, databases, and other sensitive infrastructure
ALLOW_INTERNAL_IP_CONNECTIONS=false

Implement network firewalls. Restrict network access to only necessary services:

  • Required ports: Infisical API (8080) and HTTPS (if applicable)
  • Database access: Restrict PostgreSQL and Redis to authorized sources only
  • Principle: Default deny incoming, allow only required traffic
  • Implementation: See your deployment-specific section below for exact configuration

Application Security

Site Configuration

Set proper site URL for your Infisical instance:

bash
# Required - Must be absolute URL with protocol
SITE_URL="https://app.infisical.com"

SMTP Security

Use TLS for email communications:

bash
# SMTP with TLS
SMTP_HOST="smtp.example.com"
SMTP_PORT="587"
SMTP_USERNAME="your-smtp-user"
SMTP_PASSWORD="your-smtp-password"
SMTP_REQUIRE_TLS=true
SMTP_IGNORE_TLS=false
SMTP_FROM_ADDRESS="[email protected]"
SMTP_FROM_NAME="Infisical"

Privacy Configuration

Control telemetry and data collection:

bash
# Optional - Disable telemetry (enabled by default)
TELEMETRY_ENABLED=false

Database Security

High Availability Configuration

Configure database read replicas for high availability PostgreSQL setups:

bash
# Read replica configuration (JSON format)
DB_READ_REPLICAS='[{"DB_CONNECTION_URI":"postgresql://user:pass@replica:5432/db?sslmode=require"}]'

Operational Security

User Access Management

Establish user off-boarding procedures. Remove access promptly when users leave:

  1. Remove user from organization
  2. Revoke active service tokens
  3. Remove from external identity providers
  4. Audit access logs for the user's activity
  5. Rotate any shared secrets the user had access to

Maintenance and Updates

Keep frequent upgrade cadence. Regularly update to the latest Infisical version for your deployment method.

Deployment-Specific Hardening

Docker Deployment

These recommendations are specific to Docker deployments of Infisical.

Container Security

Use read-only root filesystems. Prevent runtime modifications while allowing necessary temporary access:

bash
# Run with read-only filesystem but allow /tmp access
docker run --read-only \
  --tmpfs /tmp:rw,exec,size=1G \
  infisical/infisical:latest

Note: Infisical requires temporary directory access for:

  • Secret scanning operations
  • SSH certificate generation and validation

The --tmpfs mounts provide secure, isolated temporary storage that is:

  • Automatically cleaned up on container restart
  • Limited in size to prevent disk exhaustion
  • Isolated from the host system
  • Wiped on container removal

Drop unnecessary capabilities. Remove all Linux capabilities:

bash
# Drop all capabilities
docker run --cap-drop=ALL infisical/infisical:latest

Use specific image tags. Never use latest tags in production:

bash
# Use specific version tags
docker run infisical/infisical:v0.93.1-postgres

Resource Management

Set resource limits. Prevent resource exhaustion attacks:

bash
# Set memory and CPU limits
docker run --memory=1g --cpus=0.5 infisical/infisical:latest

Health Monitoring

Configure health checks. Set up Docker health checks:

dockerfile
# In Dockerfile or docker-compose.yml
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
  CMD curl -f http://localhost:8080/api/status || exit 1

Network Security

Host firewall configuration. Configure host-level firewall for Docker deployments:

bash
# Docker manages its own iptables rules, but configure host firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow Docker-mapped ports (adjust based on your port mapping)
sudo ufw allow 8080/tcp  # If mapping container 8080 to host 8080
sudo ufw allow 443/tcp   # If terminating HTTPS at host level

# Enable firewall
sudo ufw --force enable

# Verify Docker iptables integration
sudo iptables -L DOCKER

Maintenance

Regular updates. Monitor Docker Hub for new releases and update your image tags regularly.

Kubernetes Deployment

These recommendations are specific to Kubernetes deployments of Infisical.

Pod Security

Use Pod Security Standards. Apply restricted security profile:

yaml
# Namespace-level Pod Security Standards
apiVersion: v1
kind: Namespace
metadata:
  name: infisical
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Configure security context. Set comprehensive security context:

yaml
# Deployment security context
apiVersion: apps/v1
kind: Deployment
metadata:
  name: infisical
spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        fsGroup: 1001
      containers:
        - name: infisical
          image: infisical/infisical:v0.93.1-postgres
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 1001
            capabilities:
              drop:
                - ALL
          resources:
            limits:
              memory: 1000Mi
              cpu: 500m
            requests:
              cpu: 350m
              memory: 512Mi

Network Security

Configure network policies. Restrict pod-to-pod communication:

yaml
# Example Kubernetes NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: infisical-netpol
  namespace: infisical
spec:
  podSelector:
    matchLabels:
      app: infisical
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: ingress-system
      ports:
        - protocol: TCP
          port: 8080
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: postgres
      ports:
        - protocol: TCP
          port: 5432
    - to:
        - podSelector:
            matchLabels:
              app: redis
      ports:
        - protocol: TCP
          port: 6379

Infrastructure firewall considerations. In addition to the universal host firewalls, implement infrastructure-level security:

For cloud deployments (AWS Security Groups, Azure NSGs, or GCP Firewall Rules):

  • Allow ingress from load balancer to NodePort/ClusterIP service
  • Allow egress to managed databases
  • Block all other traffic

For on-premises deployments, ensure node-level firewalls allow:

  • Ingress traffic from ingress controllers
  • Egress traffic to external services (databases, SMTP)

Access Control

Use dedicated service accounts. Create service accounts with minimal permissions:

yaml
# Service account configuration
apiVersion: v1
kind: ServiceAccount
metadata:
  name: infisical
  namespace: infisical
automountServiceAccountToken: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: infisical
spec:
  template:
    spec:
      serviceAccountName: infisical

Ingress Security

Configure ingress with TLS. Set up secure ingress:

yaml
# Secure ingress configuration
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: infisical-ingress
  namespace: infisical
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  ingressClassName: nginx
  tls:
    - secretName: infisical-tls
      hosts:
        - app.example.com
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: infisical
                port:
                  number: 8080

Secret Management

Use Kubernetes secrets. Store sensitive configuration securely:

yaml
# Kubernetes secret for environment variables
apiVersion: v1
kind: Secret
metadata:
  name: infisical-secrets
  namespace: infisical
type: Opaque
stringData:
  AUTH_SECRET: "<generate-with-openssl-rand-base64-32>"
  ENCRYPTION_KEY: "<generate-with-openssl-rand-hex-16>"
  DB_CONNECTION_URI: "<your-postgres-connection-string>"
  REDIS_URL: "<your-redis-connection-string>"
  SITE_URL: "<your-site-url>"

Note: Kubernetes secrets are only base64-encoded by default and are not encrypted at rest unless you explicitly enable etcd encryption. For production environments, you should:

  • Enable etcd encryption at rest to protect secrets stored in the cluster
  • Limit access to etcd and Kubernetes API to only trusted administrators

Health Monitoring

Set up health checks. Configure readiness and liveness probes:

yaml
# Health check configuration
containers:
  - name: infisical
    readinessProbe:
      httpGet:
        path: /api/status
        port: 8080
      initialDelaySeconds: 10
      periodSeconds: 5
    livenessProbe:
      httpGet:
        path: /api/status
        port: 8080
      initialDelaySeconds: 30
      periodSeconds: 10

Infrastructure Considerations

Use managed databases (if possible). For production deployments, consider using managed PostgreSQL and Redis services instead of in-cluster instances when feasible, as they typically provide better security, backup, and maintenance capabilities.

Maintenance

Regular updates. Monitor Docker Hub for new releases and update your deployment manifests with new image tags regularly.

Linux Package (infisical-ctl) Deployment

These recommendations are specific to deployments using the Infisical Linux package, which is managed by the infisical-ctl CLI tool.

Built-in Security Features

The Infisical Linux package (omnibus) includes several security measures out of the box:

  • Privilege dropping: The package uses chpst to automatically drop the running application process from root to the dedicated infisical user. You do not need to configure this manually.
  • Service supervision: Services are managed by runsvdir, which provides automatic process supervision and restart.
  • Structured directories: Application files, data, and logs are organized under standard paths (/opt/infisical-core, /var/opt/infisical-core, /var/log/infisical-core).

systemd Hardening

The infisical-core package ships a systemd unit (infisical-runsvdir.service) that starts the runsvdir process supervisor. You can apply additional hardening using a systemd drop-in override without modifying the original unit file:

bash
# Create a systemd drop-in override
sudo systemctl edit infisical-runsvdir.service

Add the following content to the override file:

ini
# /etc/systemd/system/infisical-runsvdir.service.d/override.conf
[Service]
RestartSec=10

# Prevent child processes from gaining new privileges
NoNewPrivileges=true

# Isolate /tmp from the rest of the system
PrivateTmp=true

# Protect /home, /root, and /run/user from access
ProtectHome=true

# Make the entire filesystem read-only except for explicitly allowed paths
ProtectSystem=strict
ReadWritePaths=/opt/infisical-core
ReadWritePaths=/var/opt/infisical-core
ReadWritePaths=/var/log/infisical-core

# Create and manage /run/infisical-core automatically at service start
RuntimeDirectory=infisical-core

# Prevent loading of kernel modules
ProtectKernelModules=true

# Protect cgroup hierarchy from modification
ProtectControlGroups=true

# Restrict creation of SUID/SGID files
RestrictSUIDSGID=true

# Disable core dumps to prevent sensitive data exposure
LimitCORE=0

# Limit swap usage to 0 for this service's cgroup (also disable system-wide swap in the System Security section below)
MemorySwapMax=0

After saving, reload systemd and restart the service:

bash
sudo systemctl daemon-reload
sudo systemctl restart infisical-runsvdir.service
<Warning> **Do not** set `User=` or `Group=` in the systemd override. The Infisical omnibus package uses `chpst` internally to drop privileges to the `infisical` user. Setting these directives in systemd will conflict with `chpst` and break the service. </Warning> <Warning> **Do not** enable `ProtectKernelTunables=true`. The `runsvdir-start` script adjusts `/proc/sys/fs/file-max` at startup. Enabling this setting makes `/proc/sys` read-only, which will cause errors. While the service may still start, it will log warnings and may not perform optimally. </Warning>

Configuration Security

Secure the configuration file. The infisical.rb file contains sensitive credentials and should be properly protected:

bash
# Restrict permissions on the configuration file
sudo chmod 600 /etc/infisical/infisical.rb
sudo chown root:root /etc/infisical/infisical.rb

Use secure values in configuration. Generate strong cryptographic keys:

ruby
# /etc/infisical/infisical.rb
# Generate with: openssl rand -hex 16
infisical_core['ENCRYPTION_KEY'] = '<secure-random-hex-key>'

# Generate with: openssl rand -base64 32
infisical_core['AUTH_SECRET'] = '<secure-random-base64-key>'

# Use SSL for database connections
infisical_core['DB_CONNECTION_URI'] = 'postgres://user:pass@host:5432/db?sslmode=require'

# Use TLS for Redis if supported
infisical_core['REDIS_URL'] = 'rediss://user:password@redis:6380'

After making configuration changes, apply them with:

bash
infisical-ctl reconfigure

File Permissions

Verify directory permissions. Ensure proper ownership on application directories:

bash
# Application directory
sudo chown -R root:root /opt/infisical-core
sudo chmod 755 /opt/infisical-core

# Data directory
sudo chown -R infisical:infisical /var/opt/infisical-core
sudo chmod 750 /var/opt/infisical-core

# Log directory
sudo chown -R infisical:infisical /var/log/infisical-core
sudo chmod 750 /var/log/infisical-core

System Security

Disable memory swapping. Prevent sensitive data from being written to disk:

bash
# Disable swap immediately
sudo swapoff -a

# Disable swap permanently (comment out swap entries)
sudo sed -i '/swap/d' /etc/fstab

Disable core dumps. Prevent potential exposure of encryption keys:

bash
# Set system-wide core dump limits
echo "* hard core 0" | sudo tee -a /etc/security/limits.conf

# Disable core dumps for current session
ulimit -c 0

Synchronize system clocks. Ensure accurate time for JWT token validation and audit log timestamps:

bash
# Verify time synchronization is active
# (systemd-timesyncd is enabled by default on most modern distributions;
# replace with chrony or ntp if preferred)
timedatectl status
sudo systemctl enable --now systemd-timesyncd

Network Security

Host firewall configuration. Configure comprehensive firewall for Linux package deployments:

bash
# Configure UFW firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow Infisical API access
sudo ufw allow 8080/tcp

# Allow HTTPS (if terminating TLS at Infisical)
sudo ufw allow 443/tcp

# If running PostgreSQL locally, restrict to localhost
sudo ufw allow from 127.0.0.1 to any port 5432

# If running Redis locally, restrict to localhost
sudo ufw allow from 127.0.0.1 to any port 6379

# Enable firewall
sudo ufw --force enable

Health Monitoring

Monitor service health. Use infisical-ctl to monitor the service:

bash
# Check service status
infisical-ctl status

# Stream real-time logs for monitoring
infisical-ctl tail

Maintenance

Regular updates. Monitor Infisical releases for new package versions. Update using your package manager:

bash
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade infisical-core

# RHEL/CentOS/Amazon Linux
sudo yum update infisical-core

After updating, apply the new version:

bash
infisical-ctl reconfigure

Enterprise Security Features

Hardware Security Module (HSM) Integration

For the highest level of encryption security, integrate with Hardware Security Modules:

HSM integration provides hardware-protected encryption keys stored on tamper-proof devices, offering superior security for encryption operations:

  • Supported HSM Providers: Thales Luna Cloud HSM, AWS CloudHSM, Fortanix HSM
  • Root Key Protection: HSM encrypts Infisical's root encryption keys using hardware-protected keys
  • Enterprise Requirements: Ideal for government, financial, and healthcare organizations
bash
# HSM Environment Variables (example for production)
HSM_LIB_PATH="/path/to/hsm/library.so"
HSM_PIN="your-hsm-pin"
HSM_SLOT="0"
HSM_KEY_LABEL="infisical-root-key"

For complete HSM setup instructions, see the HSM Integration Guide.

External Key Management Service (KMS) Integration

Leverage cloud-native KMS providers for enhanced security and compliance:

Infisical can integrate with external KMS providers to encrypt project secrets, providing enterprise-grade key management:

  • Supported Providers: AWS KMS, Google Cloud KMS, Azure Key Vault (coming soon)
  • Workspace Key Protection: Each project's encryption key is protected by your external KMS
  • Envelope Encryption: Infisical uses your cloud KMS to encrypt/decrypt project workspace keys, which in turn encrypt the actual secret data
  • Compliance: Leverage your cloud provider's compliance certifications (FedRAMP, SOC2, ISO 27001)

Benefits for Production Deployments

  • Separation of Concerns: Keys managed in your cloud infrastructure, separate from Infisical
  • Regulatory Compliance: Use your existing compliance-certified KMS infrastructure
  • Audit Integration: KMS operations logged in your cloud provider's audit trails
  • Disaster Recovery: Keys backed by your cloud provider's HA and backup systems
  • Access Controls: Leverage your cloud IAM for KMS access management

Configuration Resources

For external KMS configuration, see:

Advanced Security Configurations

Backup Security

Configure backup encryption. Encrypt PostgreSQL backups:

bash
# PostgreSQL backup with encryption
pg_dump $DB_CONNECTION_URI | gpg --cipher-algo AES256 --compress-algo 1 --symmetric --output backup.sql.gpg

Monitoring and Logging

Implement log monitoring. Set up centralized logging for security analysis and audit trails. Configure your SIEM or logging platform to monitor Infisical operations.

Security Updates

Regular security updates. Monitor the Infisical repository for security updates and apply them promptly.

Compliance and Monitoring

Enterprise Compliance Requirements

For enterprise deployments requiring compliance certifications:

  • Implement audit log retention policies
  • Set up security event monitoring and alerting
  • Configure automated vulnerability scanning
  • Establish incident response procedures
  • Document security controls for compliance audits

Standards Compliance

FIPS 140-3 Compliance

Infisical is compliant with FIPS 140-3, meeting U.S. and Canadian government cryptographic standards through validated cryptographic modules. This certification is designed for organizations that require government-approved encryption implementations. To deploy a FIPS-compliant instance, use the infisical/infisical-fips Docker image, available to Enterprise customers. Our FIPS 140-3 attestation letter is available in the Infisical Trust Center.

SOC 2 Compliance

Infisical is SOC 2 compliant, demonstrating adherence to rigorous security, availability, and confidentiality standards established by the American Institute of CPAs (AICPA). This certification validates our security controls and operational practices for organizations requiring third-party audited security assurance. Our SOC 2 report is available in the Infisical Trust Center.

HIPAA Compliance

Infisical is HIPAA compliant, meeting the security and privacy requirements of the Health Insurance Portability and Accountability Act. This compliance framework ensures appropriate safeguards for protected health information (PHI) for healthcare organizations and their business associates. Our HIPAA certification is available in the Infisical Trust Center.