docker.recipes

Infisical Secret Management

intermediate

Open source secret management platform for teams.

Overview

Infisical is an open-source secret management platform launched in 2022 that helps development teams securely store, manage, and sync environment variables, API keys, database credentials, and other sensitive configuration data across their applications and infrastructure. Unlike traditional solutions that require complex enterprise setups, Infisical provides a developer-friendly approach to secret management with features like automatic secret injection, audit logging, role-based access controls, and integrations with popular CI/CD platforms and cloud providers. This Docker stack combines Infisical with MongoDB for persistent secret storage, Redis for session management and caching, and SMTP4dev for email functionality testing. MongoDB handles the encrypted storage of secrets and user data with Infisical's client-side encryption ensuring secrets remain secure even at the database level. Redis provides fast session storage and caching for the web interface, while SMTP4dev serves as a local email server for testing user invitations, password resets, and security notifications without requiring external email services. This configuration is ideal for development teams, DevOps engineers, and security-conscious organizations who need centralized secret management without vendor lock-in. The self-hosted approach gives complete control over sensitive data while the containerized setup allows for easy deployment in development environments, on-premises infrastructure, or private cloud instances where data sovereignty and compliance requirements prohibit using external secret management services.

Key Features

  • Client-side encryption with multiple encryption keys for different secret types and JWT token management
  • MongoDB-backed persistent storage with automatic secret versioning and audit trail capabilities
  • Redis-powered session management for fast web interface performance and user authentication
  • Integrated CLI tool for syncing secrets directly to local development environments and CI/CD pipelines
  • SMTP4dev email server for testing user invitations, password resets, and security notifications locally
  • Role-based access controls with project-level permissions and team management features
  • REST API and SDK support for programmatic secret retrieval in applications
  • Real-time secret synchronization across development, staging, and production environments

Common Use Cases

  • 1Development teams managing API keys, database credentials, and configuration across multiple environments
  • 2Startups requiring secure secret management without the cost of enterprise solutions like HashiCorp Vault
  • 3Organizations with data sovereignty requirements needing on-premises secret storage
  • 4DevOps teams implementing GitOps workflows while keeping secrets out of version control
  • 5Companies transitioning from hardcoded secrets or basic environment variable management
  • 6Security teams establishing centralized secret management with audit logging and access controls
  • 7Development agencies managing secrets across multiple client projects with isolated access

Prerequisites

  • Docker and Docker Compose with at least 2GB available RAM for MongoDB and Redis operations
  • Ports 8080 and 5000 available on the host system for Infisical web interface and SMTP4dev
  • Generated encryption keys for ENCRYPTION_KEY, JWT secrets - use strong 32+ character random strings
  • Basic understanding of secret management concepts and environment variable injection
  • Node.js environment if planning to use the Infisical CLI for local development integration
  • Network access planning if deploying in production environments with firewall restrictions

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  infisical: 
3    image: infisical/infisical:latest
4    ports: 
5      - "8080:8080"
6    environment: 
7      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
8      JWT_SIGNUP_SECRET: ${JWT_SIGNUP_SECRET}
9      JWT_REFRESH_SECRET: ${JWT_REFRESH_SECRET}
10      JWT_AUTH_SECRET: ${JWT_AUTH_SECRET}
11      JWT_SERVICE_SECRET: ${JWT_SERVICE_SECRET}
12      SITE_URL: http://localhost:8080
13      MONGO_URL: mongodb://mongo:27017/infisical
14      REDIS_URL: redis://redis:6379
15      SMTP_HOST: smtp4dev
16      SMTP_PORT: 25
17      SMTP_FROM_ADDRESS: noreply@infisical.local
18    depends_on: 
19      - mongo
20      - redis
21    networks: 
22      - infisical-net
23    restart: unless-stopped
24
25  mongo: 
26    image: mongo:7
27    volumes: 
28      - mongo_data:/data/db
29    networks: 
30      - infisical-net
31    restart: unless-stopped
32
33  redis: 
34    image: redis:7-alpine
35    volumes: 
36      - redis_data:/data
37    networks: 
38      - infisical-net
39    restart: unless-stopped
40
41  smtp4dev: 
42    image: rnwood/smtp4dev:latest
43    ports: 
44      - "5000:80"
45    networks: 
46      - infisical-net
47    restart: unless-stopped
48
49volumes: 
50  mongo_data: 
51  redis_data: 
52
53networks: 
54  infisical-net: 
55    driver: bridge

.env Template

.env
1# Infisical Secrets (generate with openssl rand -hex 32)
2ENCRYPTION_KEY=$(openssl rand -hex 16)
3JWT_SIGNUP_SECRET=$(openssl rand -hex 32)
4JWT_REFRESH_SECRET=$(openssl rand -hex 32)
5JWT_AUTH_SECRET=$(openssl rand -hex 32)
6JWT_SERVICE_SECRET=$(openssl rand -hex 32)

Usage Notes

  1. 1Infisical at http://localhost:8080
  2. 2Create organization and project
  3. 3Install CLI: npm install -g @infisical/cli
  4. 4Sync secrets to local environment

Individual Services(4 services)

Copy individual services to mix and match with your existing compose files.

infisical
infisical:
  image: infisical/infisical:latest
  ports:
    - "8080:8080"
  environment:
    ENCRYPTION_KEY: ${ENCRYPTION_KEY}
    JWT_SIGNUP_SECRET: ${JWT_SIGNUP_SECRET}
    JWT_REFRESH_SECRET: ${JWT_REFRESH_SECRET}
    JWT_AUTH_SECRET: ${JWT_AUTH_SECRET}
    JWT_SERVICE_SECRET: ${JWT_SERVICE_SECRET}
    SITE_URL: http://localhost:8080
    MONGO_URL: mongodb://mongo:27017/infisical
    REDIS_URL: redis://redis:6379
    SMTP_HOST: smtp4dev
    SMTP_PORT: 25
    SMTP_FROM_ADDRESS: noreply@infisical.local
  depends_on:
    - mongo
    - redis
  networks:
    - infisical-net
  restart: unless-stopped
mongo
mongo:
  image: mongo:7
  volumes:
    - mongo_data:/data/db
  networks:
    - infisical-net
  restart: unless-stopped
redis
redis:
  image: redis:7-alpine
  volumes:
    - redis_data:/data
  networks:
    - infisical-net
  restart: unless-stopped
smtp4dev
smtp4dev:
  image: rnwood/smtp4dev:latest
  ports:
    - "5000:80"
  networks:
    - infisical-net
  restart: unless-stopped

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  infisical:
5    image: infisical/infisical:latest
6    ports:
7      - "8080:8080"
8    environment:
9      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
10      JWT_SIGNUP_SECRET: ${JWT_SIGNUP_SECRET}
11      JWT_REFRESH_SECRET: ${JWT_REFRESH_SECRET}
12      JWT_AUTH_SECRET: ${JWT_AUTH_SECRET}
13      JWT_SERVICE_SECRET: ${JWT_SERVICE_SECRET}
14      SITE_URL: http://localhost:8080
15      MONGO_URL: mongodb://mongo:27017/infisical
16      REDIS_URL: redis://redis:6379
17      SMTP_HOST: smtp4dev
18      SMTP_PORT: 25
19      SMTP_FROM_ADDRESS: noreply@infisical.local
20    depends_on:
21      - mongo
22      - redis
23    networks:
24      - infisical-net
25    restart: unless-stopped
26
27  mongo:
28    image: mongo:7
29    volumes:
30      - mongo_data:/data/db
31    networks:
32      - infisical-net
33    restart: unless-stopped
34
35  redis:
36    image: redis:7-alpine
37    volumes:
38      - redis_data:/data
39    networks:
40      - infisical-net
41    restart: unless-stopped
42
43  smtp4dev:
44    image: rnwood/smtp4dev:latest
45    ports:
46      - "5000:80"
47    networks:
48      - infisical-net
49    restart: unless-stopped
50
51volumes:
52  mongo_data:
53  redis_data:
54
55networks:
56  infisical-net:
57    driver: bridge
58EOF
59
60# 2. Create the .env file
61cat > .env << 'EOF'
62# Infisical Secrets (generate with openssl rand -hex 32)
63ENCRYPTION_KEY=$(openssl rand -hex 16)
64JWT_SIGNUP_SECRET=$(openssl rand -hex 32)
65JWT_REFRESH_SECRET=$(openssl rand -hex 32)
66JWT_AUTH_SECRET=$(openssl rand -hex 32)
67JWT_SERVICE_SECRET=$(openssl rand -hex 32)
68EOF
69
70# 3. Start the services
71docker compose up -d
72
73# 4. View logs
74docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/infisical-secrets/run | bash

Troubleshooting

  • Infisical fails to start with encryption key errors: Ensure all JWT secrets and ENCRYPTION_KEY are properly set with strong random values of at least 32 characters
  • MongoDB connection failures on startup: Verify the mongo service is healthy and the MONGO_URL matches the service name and port in the Docker network
  • Redis connection timeouts affecting session management: Check Redis service status and ensure REDIS_URL format is correct with redis://redis:6379
  • SMTP4dev not receiving emails from Infisical: Verify SMTP_HOST points to 'smtp4dev' service name and port 25 is correctly configured
  • Web interface loads but login fails: Check MongoDB data persistence and ensure the mongo_data volume is properly mounted and writable
  • CLI authentication errors: Verify the SITE_URL matches your actual Infisical access URL and check network connectivity between CLI and container

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

infisicalpostgresqlredissmtp4dev

Tags

#infisical#secrets#environment-variables#security#vault

Category

Security & Networking

Related Recipes

Ad Space