Prerequisites & VPS Selection
Before beginning the installation, ensure you have the following:
- A domain name pointed to your VPS IP address
- Root or sudo access to the server
- Basic knowledge of Docker and Linux command line
- SMTP credentials for email notifications (optional)
2
Initial Server Setup
Update system and configure firewall:
Update System
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget git ufwConfigure Firewall
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable⚠️ Warning: Ensure SSH (port 22) is allowed before enabling UFW!
3
Install Docker & Docker Compose
Install Docker for container management:
Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USERInstall Docker Compose & Setup User
sudo apt install -y docker-compose-plugin
newgrp docker
docker --version
docker compose version4
Deploy Infisical with Docker Compose
Create directory and generate encryption keys:
Create Directory and Generate Keys
mkdir -p ~/infisical
cd ~/infisical
ENCRYPTION_KEY=$(openssl rand -hex 32)
AUTH_SECRET=$(openssl rand -hex 32)
echo "ENCRYPTION_KEY=$ENCRYPTION_KEY"
echo "AUTH_SECRET=$AUTH_SECRET"⚠️ Important: Save these keys securely! They are critical for decrypting your secrets and cannot be recovered if lost.
Docker Compose Configuration (docker-compose.yml)
version: '3.9'
services:
infisical-db:
image: postgres:14-alpine
container_name: infisical-db
restart: unless-stopped
environment:
POSTGRES_USER: infisical
POSTGRES_PASSWORD: your_secure_db_password
POSTGRES_DB: infisical
volumes:
- infisical-db-data:/var/lib/postgresql/data
networks:
- infisical-network
healthcheck:
test: ["CMD-SHELL", "pg_isready -U infisical"]
interval: 10s
timeout: 5s
retries: 5
infisical-redis:
image: redis:7-alpine
container_name: infisical-redis
restart: unless-stopped
command: redis-server --requirepass your_redis_password
volumes:
- infisical-redis-data:/data
networks:
- infisical-network
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
infisical:
image: infisical/infisical:latest
container_name: infisical
restart: unless-stopped
depends_on:
infisical-db:
condition: service_healthy
infisical-redis:
condition: service_healthy
environment:
- ENCRYPTION_KEY=${ENCRYPTION_KEY}
- AUTH_SECRET=${AUTH_SECRET}
- DB_CONNECTION_URI=postgres://infisical:your_secure_db_password@infisical-db:5432/infisical
- REDIS_URL=redis://:your_redis_password@infisical-redis:6379
- SITE_URL=https://secrets.yourdomain.com
ports:
- "127.0.0.1:8080:8080"
networks:
- infisical-network
volumes:
- infisical-data:/app/data
volumes:
infisical-db-data:
infisical-redis-data:
infisical-data:
networks:
infisical-network:
driver: bridge⚠️ Important: Replace secrets.yourdomain.com and passwords with your actual values!
Create .env and Start Infisical
cat > .env << EOF
ENCRYPTION_KEY=your_encryption_key_here
AUTH_SECRET=your_auth_secret_here
EOF
docker compose up -d
docker ps5
Configure Nginx Reverse Proxy
Install Nginx and configure reverse proxy:
Install Nginx and Certbot
sudo apt install nginx certbot python3-certbot-nginx -y
sudo systemctl enable nginx
sudo systemctl start nginxNginx Configuration (/etc/nginx/sites-available/infisical)
server {
listen 80;
listen [::]:80;
server_name secrets.yourdomain.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name secrets.yourdomain.com;
client_max_body_size 10M;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}Enable Site
sudo ln -s /etc/nginx/sites-available/infisical /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx6
Obtain SSL Certificate
Get SSL with Certbot
sudo certbot --nginx -d secrets.yourdomain.com✅ Follow prompts to complete SSL setup. Certbot will auto-configure Nginx.
7
Initial Configuration
Create Admin Account
- Navigate to your Infisical instance in a web browser
- Click on Sign Up to create the first admin account
- Enter your email address and create a strong password
- Verify your email address (if SMTP is configured)
- Complete the initial setup wizard
Create Your First Project
- Click on Create Project in the dashboard
- Enter a project name and description
- Configure environments (Development, Staging, Production)
- Set up team members and access controls
8
Secure Your Installation
Enable Two-Factor Authentication
Navigate to Settings → Security and enable "Require 2FA for organization". Use TOTP apps like Google Authenticator or Authy.
Regular Updates
Update Infisical
cd ~/infisical
docker compose pull
docker compose up -dAudit Logging
Enable comprehensive audit logging in Settings → Audit Logs. Configure log retention policies and set up alerts for suspicious activities.
9
Backup & Disaster Recovery
Regular backups are critical for secrets management:
Backup Script (backup-infisical.sh)
#!/bin/bash
BACKUP_DIR="/home/backup/infisical"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p ${BACKUP_DIR}
# Backup PostgreSQL database
docker exec infisical-db pg_dump -U infisical infisical | gzip > ${BACKUP_DIR}/infisical_db_${DATE}.sql.gz
# Backup encryption keys (CRITICAL)
cp ~/infisical/.env ${BACKUP_DIR}/env_${DATE}.backup
# Backup Redis data
docker exec infisical-redis redis-cli --rdb /data/dump.rdb save
docker cp infisical-redis:/data/dump.rdb ${BACKUP_DIR}/redis_${DATE}.rdb
# Remove backups older than 30 days
find ${BACKUP_DIR} -name "*.gz" -mtime +30 -delete
find ${BACKUP_DIR} -name "*.backup" -mtime +30 -deleteSetup Automated Backups
chmod +x backup-infisical.sh
# Add to crontab for daily backups at 2 AM
crontab -e
# Add: 0 2 * * * /home/user/backup-infisical.sh10
Monitoring & Maintenance
Monitor Containers
# Check container status
docker compose ps
# View container logs
docker compose logs -f infisical
# Monitor resource usage
docker statsDatabase Maintenance
# Run VACUUM to reclaim space
docker exec infisical-db psql -U infisical -c "VACUUM FULL;"
# Analyze tables for query optimization
docker exec infisical-db psql -U infisical -c "ANALYZE;"Auto-Renew SSL Certificate
# Add to crontab for automatic renewal
0 3 * * * certbot renew --quiet && systemctl reload nginx11
Troubleshooting
12
CLI & CI/CD Integrations
Install Infisical CLI
Install CLI
curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
sudo apt-get update && sudo apt-get install infisicalLogin and Use Secrets
# Login to your Infisical instance
infisical login --domain=https://secrets.yourdomain.com
# Run your application with secrets injected
infisical run --env=production -- npm startGitHub Actions Integration
.github/workflows/deploy.yml
name: Deploy Application
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: infisical/action@v1
with:
infisical-host: https://secrets.yourdomain.com
infisical-token: ${{ secrets.INFISICAL_TOKEN }}
env-slug: production
- run: npm install
- run: npm run deployDeployment Complete!
You now have a fully functional self-hosted Infisical instance. This provides enterprise-grade secrets management with complete control over your sensitive data.
Remember to regularly update, maintain backups, and review audit logs for security.
Additional Resources
Ready to Deploy Infisical?
Get started with a RamNode VPS and secure your secrets today.
View VPS Plans