Self-hosting secrets management tools like Infisical provides greater control over your sensitive data and aligns with best practices in a self-hosted environment. This guide will walk you through installing Infisical on a VPS using Docker, covering server preparation, Docker setup, and securing your deployment.
Why Self-Host Infisical?
Infisical is an open-source secrets management platform designed for developers and homelabbers to securely store API keys, tokens, and other sensitive data. Hosting it yourself eliminates reliance on third-party services, improves security, and offers full control over your environment.
Prerequisites
- A VPS with a Linux distribution (Ubuntu 22.04 LTS is recommended)
- A domain (optional but recommended for SSL)
- Basic Linux command-line skills
- Root or sudo access on your VPS
- Docker and Docker Compose installed on the VPS
Choosing a VPS Provider
For cost-effective and reliable hosting, consider providers like:
| Provider | Price (per month) | Affiliate Link |
|---|---|---|
| Contabo VPS | 5.99 EUR | Contabo VPS |
| Hetzner Cloud | 4.15 EUR | Hetzner Cloud |
| DigitalOcean | 6 USD | DigitalOcean |
| Vultr | 6 USD | Vultr |
| Linode | 5 USD | Linode |
For a full VPS comparison, check /en/best/.
Step 1: Set Up Your VPS Environment
Log in to your VPS
ssh user@your-vps-ipUpdate your system
sudo apt update && sudo apt upgrade -yInstall Docker and Docker Compose
sudo apt install -y docker.io docker-compose
sudo systemctl enable --now dockerVerify the installation:
docker --version
docker-compose --versionStep 2: Prepare Docker Compose File for Infisical
Create a directory for Infisical.
mkdir ~/infisical && cd ~/infisicalCreate docker-compose.yml:
version: '3'
services:
infisical:
image: infisical/infasical:latest
container_name: infisical
ports:
- "3000:3000"
environment:
- NODE_ENV=production
- PORT=3000
volumes:
- infisical_data:/app/data
restart: unless-stopped
volumes:
infisical_data:Note: Replace the image with the latest stable from the official registry if needed.
Step 3: Start Infisical
Run the container:
docker-compose up -dCheck if itโs running:
docker psYou should see the Infisical container active.
Step 4: Configure Domain and SSL (Optional)
Using a domain and SSL certificate improves security. You can use Certbot with Nginx as a reverse proxy.
Install Nginx
sudo apt install -y nginxConfigure Nginx
Create a configuration file /etc/nginx/sites-available/infisical
server {
listen 80;
server_name your.domain.com;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Link and enable the site:
sudo ln -s /etc/nginx/sites-available/infisical /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginxEnable HTTPS with Certbot
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your.domain.comFollow prompts for SSL setup.
Step 5: Use Infisical
Access your deployment via https://your.domain.com. You will need to set up an admin account initially.
Adding Secrets
You can add secrets via the web UI or CLI, depending on your preferred workflow.
Comparison Table: Self-Hosting Infisical vs Alternatives
| Feature | Self-Hosting Infisical | Managed Secrets Managers |
|---|---|---|
| Control | Full control over data and environment | Limited, managed by third-party provider |
| Cost | VPS costs from 4.15 EUR to 6 USD/month | Usually subscription-based, higher cost |
| Customization | Highly customizable with Docker and server configs | Limited customization options |
| Security | Depends on user setup, but can be highly secure | Usually compliant, less user control |
| Maintenance | User responsible for updates, backups, security patches | Provider handles maintenance |
FAQs
How do I keep Infisical updated on my VPS?
You can update Infisical by pulling the latest Docker image and restarting the container. Use:
docker-compose pull
docker-compose up -dAutomate updates using a cron job or CI/CD pipeline if preferred.
What are best practices for securing my self-hosted Infisical?
Implement HTTPS via SSL certificates, restrict access with firewalls (iptables, ufw), change default ports if necessary, and enable two-factor authentication if supported. Regular backups of your data volume are also critical.
Can I run Infisical behind a reverse proxy?
Yes, deploying behind Nginx or Traefik improves security and allows SSL termination. Proper configuration ensures secure and seamless access. Routes can be customized for multiple services if needed.
Final Notes
Self-hosting Infisical on a VPS offers a robust, private secret management solution suitable for developers and homelab enthusiasts. The setup process is straightforward with Docker, and securing your deployment involves standard best practices. Be proactive with updates and backups to maintain security and stability.
For more great self-hosted tools and configurations, visit /en/best/ and dive into the self-hosted community on r/selfhosted and awesome-selfhosted.