Setting up Infisical for local development

· Tech

TLDR: brew install infisical/get-cli/infisical, then infisical login, then infisical init in your project. Organize secrets as project > environment > folders. Use infisical run --env=dev -- npm run dev to inject secrets without writing to disk. Works with Terraform/OpenTofu. Free cloud tier is enough for small teams.

Infisical is an open-source secrets manager built for developers. MIT license, project/environment hierarchy, CLI injection, web dashboard, self-hosting option, end-to-end AES-256-GCM encryption.

If you are coming from 1Password’s op CLI, I wrote about why it is not enough.

How secrets are organized

Organization
└── Project (e.g., "my-project")
    ├── development
    │   ├── /database (DATABASE_URL, DATABASE_PASSWORD)
    │   └── /api-keys (STRIPE_KEY, SENDGRID_KEY)
    ├── staging
    └── production

Setup

Terminal window
brew install infisical/get-cli/infisical
infisical login           # opens browser
cd ~/projects/my-project
infisical init            # links directory to project

Docs: infisical.com/docs/cli/overview

Usage

Terminal window
# Read a single secret
DB_PASS=$(infisical secrets get DB_PASSWORD --env=dev --plain --silent)


# Inject all secrets into a process (nothing on disk)
infisical run --env=dev -- npm run dev


# Inject from a specific folder
infisical run --env=dev --path=/database -- npm run dev

Docs: infisical.com/docs/cli/commands/secrets

Terraform/OpenTofu

Official provider with 1.1M+ downloads. Works with OpenTofu.

provider "infisical" {
  host          = "https://app.infisical.com"
  client_id     = var.infisical_client_id
  client_secret = var.infisical_client_secret
}


data "infisical_secrets" "api" {
  env_slug     = "production"
  workspace_id = "PROJECT_ID"
  folder_path  = "/database"
}

Supports ephemeral resources (Terraform v1.10+) so secrets never end up in .tfstate files. Supports OIDC auth for CI/CD pipelines.

Cloud vs self-hosted

Cloud (recommended to start): Free tier with up to 3 projects, 3 environments, and 5 identities. Check current pricing for exact limits.

Self-hosted: Docker Compose (PostgreSQL + Redis + Infisical). Same CLI. Docs

What Infisical does not solve

No per-request approval popup. It authenticates once and trusts the session. No biometric integration. These limitations are not unique to Infisical. The real defense is isolating secrets from untrusted processes.

Related posts