Back to Details

infisical-self-host

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Infisical Self-Hosted Deployment

Infisical 自托管部署

This skill guides you through deploying, configuring, and operating Infisical in self-hosted environments. Whether you are running Infisical on Docker, Docker Compose, or Kubernetes, this resource covers essential setup, security hardening, scaling, and maintenance patterns.
本技能将指导你在自托管环境中部署、配置和运维Infisical。无论你是在Docker、Docker Compose还是Kubernetes上运行Infisical,本资源都涵盖了必要的设置、安全加固、扩容和维护模式。

Guiding Principles

指导原则

  1. ENCRYPTION_KEY is Critical: This key encrypts all secrets at rest. It is 16 bytes (32 hex characters), generated with 
    openssl rand -hex 16
    , and cannot be recovered if lost. Back it up and rotate it carefully following Infisical's rotation procedures.
  2. AUTH_SECRET is Required: This key is used for session and JWT signing. It is 32 bytes (base64), generated with 
    openssl rand -base64 32
    , and must be stable across restarts.
  3. Database Requirements: PostgreSQL 14+ is required. Always backup your database before upgrading Infisical. Schema migrations run automatically on boot (since v0.111.0-postgres).
  4. Redis Configuration: Redis 6.2+ is required. Cluster mode is NOT supported; use standalone or Redis Sentinel for high availability. Standalone mode is simplest for development; use Sentinel for production HA.
  5. Stateless Architecture: Infisical is stateless. Scale horizontally by adding more replicas. All state lives in PostgreSQL and Redis.
  6. FIPS Compliance: FIPS 140-2 mode is available via the 
    infisical/infisical:latest-fips
    image. Enable with 
    FIPS_ENABLED=true
    and appropriate Node.js options.
  1. ENCRYPTION_KEY 至关重要:该密钥用于加密静态存储的所有机密信息。它是16字节(32个十六进制字符),可通过
    openssl rand -hex 16
    生成,丢失后无法恢复。请妥善备份,并按照Infisical的轮换流程谨慎进行密钥轮换。
  2. AUTH_SECRET 为必填项:该密钥用于会话和JWT签名。它是32字节(base64格式),可通过
    openssl rand -base64 32
    生成,且在重启时必须保持稳定。
  3. 数据库要求:需要PostgreSQL 14及以上版本。在升级Infisical之前,请务必备份数据库。自v0.111.0-postgres版本起,架构迁移会在启动时自动运行。
  4. Redis配置:需要Redis 6.2及以上版本。不支持集群模式;如需高可用,请使用独立模式或Redis Sentinel。独立模式最适合开发环境;生产环境高可用请使用Sentinel。
  5. 无状态架构:Infisical采用无状态架构。可通过添加更多副本实现水平扩容。所有状态均存储在PostgreSQL和Redis中。
  6. FIPS合规性:可通过
    infisical/infisical:latest-fips
    镜像启用FIPS 140-2模式。设置
    FIPS_ENABLED=true
    并配置相应的Node.js选项即可启用。

Quick Start

快速开始

  • Docker Standalone: Pull 
    infisical/infisical:<version>
    , set environment variables, run on port 8080.
  • Docker Compose: Use 
    docker-compose.prod.yml
    from the repository with PostgreSQL and Redis services.
  • Kubernetes: Deploy via Helm chart 
    infisical-standalone-postgres
    from Cloudsmith registry with optional managed databases.
  • Docker独立部署:拉取
    infisical/infisical:<version>
    镜像,设置环境变量,在8080端口运行。
  • Docker Compose部署:使用仓库中的
    docker-compose.prod.yml
    ,搭配PostgreSQL和Redis服务。
  • Kubernetes部署:通过Cloudsmith仓库中的Helm chart 
    infisical-standalone-postgres
    进行部署,可选择使用托管数据库。

Reference Guides

参考指南

Environment Variables

环境变量

Complete reference for all configuration environment variables, including:
  • Required keys (ENCRYPTION_KEY, AUTH_SECRET, database, Redis)
  • Database and replication setup
  • Redis with Sentinel support
  • SMTP configuration
  • OAuth/SSO providers
  • FIPS and telemetry settings
  • Security options
所有配置环境变量的完整参考,包括:
  • 必填密钥(ENCRYPTION_KEY、AUTH_SECRET、数据库、Redis)
  • 数据库与复制设置
  • 支持Redis Sentinel的配置
  • SMTP配置
  • OAuth/SSO提供商
  • FIPS与遥测设置
  • 安全选项

Docker Deployment

Docker部署

Docker and Docker Compose deployment patterns, including:
  • Standalone container setup
  • Docker Compose production stack
  • Image variants (standard and FIPS)
  • Production hardening with security capabilities and read-only filesystems
  • Health checks
Docker和Docker Compose部署模式,包括:
  • 独立容器设置
  • Docker Compose生产环境栈
  • 镜像变体(标准版和FIPS版)
  • 通过安全功能和只读文件系统实现生产环境加固
  • 健康检查

Kubernetes Deployment

Kubernetes部署

Kubernetes and Helm deployment guide, including:
  • Helm chart installation and configuration
  • Secret creation and management
  • Optional PostgreSQL and Redis (Bitnami charts)
  • Pod security and RBAC
  • Networking policies and Ingress/TLS
Kubernetes和Helm部署指南,包括:
  • Helm chart的安装与配置
  • Secret的创建与管理
  • 可选的PostgreSQL和Redis(Bitnami charts)
  • Pod安全与RBAC
  • 网络策略与Ingress/TLS

Scaling and High Availability

扩容与高可用

Production scaling patterns and HA architecture, including:
  • Horizontal scaling (adding replicas)
  • Sizing guidelines for Infisical, PostgreSQL, and Redis
  • Database read replicas
  • Redis Sentinel for HA
  • Backup and upgrade procedures
  • License server firewall rules
生产环境扩容模式与高可用架构,包括:
  • 水平扩容(添加副本)
  • Infisical、PostgreSQL和Redis的规格指南
  • 数据库只读副本
  • Redis Sentinel高可用方案
  • 备份与升级流程
  • 许可证服务器防火墙规则