Given that Infisical is a secret management platform that manages sensitive data, the Infisical security model is very important. The goal of Infisical’s security model is to ensure the security and integrity of all of its managed data as well as all associated operations.

This means that data at rest and in transit must be secure from eavesdropping or tampering. All clients must be authenticated and authorized to access data. Additionally, all interactions must be auditable and traced uniquely back to their source.

Threat model

Infisical’s threat model spans communication, storage, response mechanisms, failover strategies, and more.

  • Eavesdropping on communications: Infisical ensures end-to-end encryption for all client interactions with the Infisical API.
  • Tampering with data (at rest or in transit): Infisical implements data integrity checks to detect tampering. If inconsistencies are found, Infisical aborts transactions and raises alerts.
  • Unauthorized access (lacking authentication/authorization): Infisical mandates rigorous authentication and authorization checks for all inbound requests; it also offers multi-factor authentication and role-based access controls.
  • Actions without accountability: Infisical logs all project-level events, including policy updates, queries/mutations applied to secrets, and more. Every event is timestamped and information about actor, source (i.e. IP address, user-agent, etc.), and relevant metadata is included.
  • Breach of data storage confidentiality: Infisical encrypts all stored secrets using proven cryptographic techniques such as AES-256-GCM for symmetric encryption.
  • Loss of service availability or secret data due to failures: Infisical leverages the robust container orchestration capabilities of Kubernetes and the inherent high availability features of Bitnami MongoDB to ensure resilience and fault tolerance. By deploying multiple replicas of Infisical application on Kubernetes, operations can continue even if a single instance fails.
  • Unrecognized suspicious activities: Infisical monitors for any anomalous activities such as authentication attempts from previously unseen sources.
  • Unidentified system vulnerabilities: Infisical undergoes penetration tests and vulnerability assessments twice a year; we act on findings to bolster the system’s defense mechanisms.

That said, Infisical does not consider the following as part of its threat model:

  • Uncontrolled access to the storage mechanism: An attacker with unfettered access to the storage system can manipulate data in unpredictable ways, including erasing or tampering with stored secrets. Furthermore, the attacker could potentially implement state rollbacks to favor their objectives.
  • Disclosure of secret presence: If an adversary gains read access to the storage backend, they might discern the existence of certain secrets, even if the actual contents remain encrypted and concealed.
  • Runtime memory intrusion: An attacker with capabilities to probe the memory state of a live instance of Infisical can potentially compromise data confidentiality.
  • Vulnerabilities in affiliated systems: Some functionality may rely on third-party services and dependencies. Security lapses in these dependencies can indirectly jeopardize the confidentiality or integrity of the secrets.
  • Breaches via compromised clients: If a system or application accessing Infisical is compromised, and its credentials to the platform are exposed, an attacker might gain access at the privilege level of that compromised entity.
  • Configuration tampering by administrators: Any configuration data, whether supplied through admin interfaces or configuration files, needs scrutiny. If an attacker can manipulate these configurations, it poses risks to data confidentiality and integrity.
  • Physical access to deployment infrastructure: An attacker with physical access to the servers or infrastructure where Infisical is deployed can potentially compromise the system in ways that are challenging to guard against, such as direct hardware tampering or booting from malicious media.
  • Social engineering attacks on personnel: Attacks that target personnel, tricking them into divulging sensitive information or performing compromising actions, fall outside the platform’s direct defensive purview.

It’s essential to note that while these points fall outside the platform’s direct threat model, they still form crucial considerations for an overarching security strategy.

External threat overview

Infisical’s architecture consists of various systems:

  • Infisical API
  • Storage backend
  • Redis
  • Infisical Web UI
  • Infisical clients

The Infisical API requires that the Infisical Web UI and all Infisical clients are authenticated and authorized for every inbound request. If using Infisical Cloud, all traffic is routed through Cloudflare which enforces TLS and requires a minimum of TLS 1.2.

The Infisical API is untrusted by design when dealing with secrets. All secrets are encrypted/decrypted on the client-side before reaching the Infisical API by default; granting Infisical access to secrets afterward is optional and up to your organization.

The storage backend used by Infisical is also untrusted by design. All sensitive data is encrypted either symmetrically with AES-256-GCM or asymmetrically with x25519-xsalsa20-poly1305 prior to entering the storage backend, depending on the context either on the client-side or server-side. Moreover, Infisical communicates with the storage backend over TLS to provide an added layer of security.

Internal threat overview

Within Infisical, a critical security concern is an attacker gaining access to sensitive data that they are not permitted to, especially if they already has some degree of access to the system. There are currently two authentication methods categories used by clients for where we apply robust authentication and authorization logic.

JWT / API Key

This token category is used by users and included in requests made from the Infisical Web UI or elsewhere to the Infisical API.

Each token is authenticated against the API and mapped to an existing user in Infisical. If no existing user is found for the token, the request is rejected by the API. Each token assumes the permission set of the user that it is mapped to. For example, if a user corresponding to a token is not allowed access to a certain organization or project, then the token is also not be valid for any requests concerning those specific resources.

In the event of compromise, an attacker could use the token to impersonate the associated user and perform actions within the permission set of that user. While they could retrieve secrets for a project that the user is part of, they could not, however, decrypt secrets if the project follows Infisical’s default zero-knowledge architecture. In any case, it would be critical for the user to invalidate this token and change their password immediately to prevent further unintended actions and consequences.

Service token

This token category is provisioned by users for applications and infrastructure to perform secret operations against the Infisical API.

Each token is scoped to a project in Infisical and configurable with an expiration date and permission set (also known as scopes) for specific environment(s) and path(s) within them. For example, you may provision an application a service token to authenticate against the Infisical API and retrieve secrets from some /environment-variables path in the production environment of a project. If the token is tried for another project, environment, or path outside of its permission set, then it is rejected by the API.

It should also be noted that projects in Infisical can be configured to restrict service token access to specific IP addresses or CIDR ranges; this can be useful for limiting access to traffic coming from corporate networks.

In the event of compromise, an attacker could use a service token to access the secrets that it is provisioned for. It would be critical here for project administrator(s) to revoke the token immediately to prevent further unintended access to resources; it would also be advisable currently to transfer secrets to a new project where a new project key is created on the client-side.

Cryptography

Infisical uses AES-256-GCM for symmetric encryption and x25519-xsalsa20-poly1305 for asymmetric encryption operations; asymmetric algorithms are implemented with the TweetNaCl.js library which has been well-audited and recommended for use by cybersecurity firm Cure53. Lastly, the secure remote password (SRP) implementation uses jsrp package for user authentication.

By default, Infisical employs a zero-knowledge-first approach to securely storing and sharing secrets.

  • Each secret belongs to a project and is symmetrically encrypted by that project’s unique key. Each member of a project is shared a copy of the project key, encrypted under their public key, when they are first invited to join the project. Since these encryption operations occur on the client-side, the Infisical API is not able to view the value of any secret and the default zero-knowledge property of Infisical is retained; as you’d expect, it follows that decryption operations also occur on the client-side.
  • An exception to the zero-knowledge property occurs when a member of a project explicitly shares that project’s unique key with Infisical. It is often necessary to share the project key with Infisical in order to use features like native integrations and secret rotation that wouldn’t be possible to offer otherwise.

Infrastructure

High availability

Infisical Cloud utilizes several strategies to ensure high availability, leveraging AWS services to maintain continuous operation and data integrity.

Multi-AZ AWS RDS

Infisical Cloud uses AWS Relational Database Service (RDS) with Multi-AZ deployments. This configuration ensures that the database service is highly available and durable. AWS RDS automatically provisions and maintains a synchronous standby replica of the database in a different Availability Zone (AZ). This setup facilitates immediate failover to the standby in the event of an AZ failure, thereby ensuring that database operations can continue with minimal interruption. The continuous backup and replication to the standby instance safeguard data against loss and ensure its availability even during system failures.

Multi-AZ ECS for Container Orchestration

Infisical Cloud leverages Amazon Elastic Container Service (ECS) in a Multi-AZ configuration for container orchestration. This arrangement enables the management and operation of containers across multiple availability zones, increasing the application’s fault tolerance. Should there be an AZ failure, load is seamlessly sent to an operational AZ, thus minimizing downtime and preserving service availability.

Standby Regions for Regional Failover

To fight regional outages, secondary regions are always in standby mode and maintained with up-to-date configurations and data, ready to take over in case the primary region fails. The standby regions enable a rapid transition and service continuity with minimal disruption in the event of a complete regional failure, ensuring that Infisical Cloud services remain accessible.

Snapshots

A snapshot is a complete copy of data in the storage backend at a point in time.

If using Infisical Cloud, snapshots of MongoDB databases are taken regularly; this can be enabled on your own storage backend as well.

Offline usage

Many teams and organizations use the Infisical CLI to fetch and inject secrets back from Infisical into their applications and infrastructure locally; the CLI has offline fallback capabilities.

If you have previously retrieved secrets for a specific project and environment, the run/secret command will utilize the saved secrets, even when offline, on subsequent fetch attempts to ensure that you always have access to secrets.

Platform

Web application

Infisical utilizes the latest HTTP security headers and employs a strict Content-Security-Policy to mitigate XSS.

JWT tokens are stored in browser memory and appended to outbound requests requiring authentication; refresh tokens are stored in HttpOnly cookies and included in future requests to /api/token for JWT token renewal.

User authentication

Infisical supports several authentication methods including email/password, Google SSO, GitHub SSO, SAML 2.0 (Okta, Azure, JumpCloud), and OpenID Connect; Infisical also currently offers email-based 2FA with authenticator app methods coming in Q1 2024.

Infisical uses the secure remote password protocol, commonly found in other zero-knowledge platform architectures, for authentication. Put simply, the protocol enables Infisical to validate a user’s knowledge of their password without ever seeing it by constructing a mutual secret; we use this protocol because each user’s password is used to seed the generation of a master encryption/decryption key via KDF for that user which the platform should not see.

Lastly, Infisical enforces strong password requirements according to the guidance set forth in NIST Special Publication 800–63B. Since passwords in Infisical also has cryptographic implications, Infisical validates each password on client-side to meet minimum length and entropy requirements; Infisical also considers each password against the Have I Been Pwned (HIBP) API, which checks the password against around 700M breached passwords, in a privacy-preserving way.

Since Infisical’s unique zero-knowledge architecture requires a master decryption key for every user account, users with Google SSO, GitHub SSO, or SAML 2.0 enabled must still enter a secret after the authentication step to access their secrets in Infisical. In practice, this implies stronger security since users must successfully authenticate with a single sign-on provider and provide a master decryption key to access the platform.

We strongly encourage users to generate and store their passwords / master decryption key in a password manager, such as 1Password, Bitwarden, or Dashlane.

Role-based access control (RBAC)

Infisical’s RBAC feature enables organization owners and administrators to manage fine-grained access policies for members of their organization in Infisical; with RBAC, administrators can define custom roles with permission sets to be conveniently assigned to other members.

For example, you can define a role provisioning access to secrets in a specific project and environment in it with read-only permissions; the role can be assigned to members of an organization in Infisical.

Audit logging

Infisical’s audit logging feature spans 25+ events, tracking everything from permission changes to queries and mutations applied to secrets, for security and compliance teams at enterprises to monitor information access in the event of any suspicious activity or incident review. Every event is timestamped and information about actor, source (i.e. IP address, user-agent, etc.), and relevant metadata is included.

IP allowlisting

Infisical’s IP allowlisting feature can be configured to restrict client access to specific IP addresses or CIDR ranges. This applies to any client using service tokens and can be useful, for example, for limiting access to traffic coming from corporate networks.

By default, each project is initialized with the 0.0.0.0/0 entry, representing all possible IPv4 addresses. For enhanced security, we strongly recommend replacing the default entry with your client IPs to tighten access to your secrets.

Penetration testing

Infisical hires external third parties to perform regular security assessment and penetration testing of the platform.

Most recently, Infisical commissioned cybersecurity firm Oneleet to perform a full-coverage, gray box penetration test against the platform’s entire attack surface to identify vulnerabilities according to industry standards (OWASP, ASVS, WSTG, TOP-10, etc.).

Please email security@infisical.com to request any reports including a letter of attestation for the conducted penetration test.

Employee data access

Whether or not Infisical or your employees can access data in the Infisical instance and/or storage backend depends on many factors how you use Infisical:

  • Infisical Self-Hosted: Self-hosting Infisical is common amongst organizations that prefer to keep data on their own infrastructure usually to adhere to strict regulatory and compliance requirements. In this option, organizations retain full control over their data and therefore govern the data access policy of their Infisical instance and storage backend.
  • Infisical Cloud: Using Infisical’s managed service, Infisical Cloud means delegating data oversight and management to Infisical. Under our policy controls, employees are only granted access to parts of infrastructure according to principle of least privilege; this is especially relevant to customer data can only be accessed currently by executive management of Infisical. Moreover, any changes to sensitive customer data is prohibited without explicit customer approval.

It should be noted that, even on Infisical Cloud, it is physically impossible for employees of Infisical to view the values of secrets if users have not explicitly granted Infisical access to their project (i.e. opted out of zero-knowledge).

Please email security@infisical.com if you have any specific inquiries about employee data access policies.

Get in touch

If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.

Note that this security address should be used for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.