Setting up Infisical for local development

· Tech · AI-written from my notes

TLDR: brew install infisical/get-cli/infisical, then infisical login, then infisical init in your project. Organize secrets as project > environment > folders. Use infisical run --env=dev -- npm run dev to inject secrets without writing to disk. Works with Terraform/OpenTofu. Free cloud tier is enough for small teams.


Infisical is an open-source secrets manager built for developers. MIT license, project/environment hierarchy, CLI injection, web dashboard, self-hosting option, end-to-end AES-256-GCM encryption.

If you are coming from 1Password’s op CLI, I wrote about why it is not enough.

How secrets are organized

Organization
└── Project (e.g., "my-project")
├── development
│ ├── /database (DATABASE_URL, DATABASE_PASSWORD)
│ └── /api-keys (STRIPE_KEY, SENDGRID_KEY)
├── staging
└── production

Setup

Terminal window
brew install infisical/get-cli/infisical
infisical login # opens browser
cd ~/projects/my-project
infisical init # links directory to project

Docs: infisical.com/docs/cli/overview

Usage

Terminal window
# Read a single secret
DB_PASS=$(infisical secrets get DB_PASSWORD --env=dev --plain --silent)
# Inject all secrets into a process (nothing on disk)
infisical run --env=dev -- npm run dev
# Inject from a specific folder
infisical run --env=dev --path=/database -- npm run dev

Docs: infisical.com/docs/cli/commands/secrets

Terraform/OpenTofu

Official provider with 1.1M+ downloads. Works with OpenTofu.

provider "infisical" {
host = "https://app.infisical.com"
client_id = var.infisical_client_id
client_secret = var.infisical_client_secret
}
data "infisical_secrets" "api" {
env_slug = "production"
workspace_id = "PROJECT_ID"
folder_path = "/database"
}

Supports ephemeral resources (Terraform v1.10+) so secrets never end up in .tfstate files. Supports OIDC auth for CI/CD pipelines.

Cloud vs self-hosted

Cloud (recommended to start): Free tier with up to 3 projects, 3 environments, and 5 identities. Check current pricing for exact limits.

Self-hosted: Docker Compose (PostgreSQL + Redis + Infisical). Same CLI. Docs

What Infisical does not solve

No per-request approval popup. It authenticates once and trusts the session. No biometric integration. These limitations are not unique to Infisical. The real defense is isolating secrets from untrusted processes.


uptime
8,215 days · since 2004
posts
294 · busiest 2026 (64)
words
~143,065 · ~10 h read
topics
tech 239 · personal 55
langs
en 229 · pl 65
written
211 by hand · 83 AI-assisted
projects
3
build
ca50768 · 2026-06-30