Infisical Secret Management
OpticWorks uses Infisical for centralized secret management across all projects and environments. This guide covers how to access, use, and manage secrets.
What is Infisical?
Section titled “What is Infisical?”Infisical is a secret management platform that provides:
- Centralized secrets storage - One place for all credentials
- Environment separation - Dev, staging, production secrets
- Access control - Role-based permissions per project
- Audit logging - Track who accessed what and when
- Secret rotation - Automatic credential rotation
- CLI & SDK integration - Easy local development
Getting Access
Section titled “Getting Access”New Employee Setup
Section titled “New Employee Setup”- You’ll receive an Infisical invite to your @optic.works email
- Create your account at app.infisical.com
- Enable 2FA (required)
- Request project access from your team lead
Access Levels
Section titled “Access Levels”| Role | Permissions |
|---|---|
| Viewer | Read secrets (most engineers) |
| Developer | Read + update non-production |
| Admin | Full access including production |
| Owner | Project settings and member management |
Projects Overview
Section titled “Projects Overview”| Project | Description | Who Has Access |
|---|---|---|
opticworks-store | Store backend secrets | Web team |
hardwareos | Firmware signing keys | Hardware team |
presence-engine | Home Assistant test credentials | OSS team |
infrastructure | Hetzner, Cloudflare API keys | Platform team |
Using Infisical
Section titled “Using Infisical”Web Dashboard
Section titled “Web Dashboard”Access at: app.infisical.com
- Select your project
- Choose environment (Development, Staging, Production)
- View/edit secrets
- Copy values or download as
.env
CLI Installation
Section titled “CLI Installation”# macOSbrew install infisical/get-cli/infisical
# Linuxcurl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bashsudo apt-get update && sudo apt-get install -y infisical
# Verify installationinfisical --versionCLI Login
Section titled “CLI Login”# Login with browser (recommended)infisical login
# Login with service token (for CI/CD)export INFISICAL_TOKEN="st.xxx..."Fetching Secrets
Section titled “Fetching Secrets”# Navigate to project directorycd ~/workspace/opticworks-store
# Initialize Infisical for this projectinfisical init
# Run command with secrets injectedinfisical run -- npm run dev
# Export secrets to .env file (for development only)infisical export --env=dev > .env.localCommon Commands
Section titled “Common Commands”# List all secrets in current environmentinfisical secrets
# Get a specific secretinfisical secrets get DATABASE_URL
# Set a secret (requires write access)infisical secrets set API_KEY=new-value
# Switch environmentsinfisical secrets --env=staging
# Run with specific environmentinfisical run --env=production -- node script.jsProject Setup
Section titled “Project Setup”Linking a Repository
Section titled “Linking a Repository”- Navigate to your project directory
- Run
infisical init - Select your workspace and project
- Choose default environment
This creates .infisical.json:
{ "workspaceId": "abc123...", "defaultEnvironment": "dev", "gitBranchToEnvironmentMapping": { "main": "prod", "develop": "staging", "*": "dev" }}.gitignore
Section titled “.gitignore”Ensure these are in your .gitignore:
# Infisical.env.env.local.env.*.local.infisical.jsonEnvironment Workflow
Section titled “Environment Workflow”Development
Section titled “Development”# Fetch dev secrets and run locallyinfisical run --env=dev -- npm run devStaging
Section titled “Staging”# Test with staging secretsinfisical run --env=staging -- npm run test:integrationProduction
Section titled “Production”Production secrets require elevated access:
# Only available to adminsinfisical run --env=prod -- node scripts/migrate.jsCI/CD Integration
Section titled “CI/CD Integration”GitHub Actions
Section titled “GitHub Actions”Add the Infisical service token as a GitHub secret:
jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Install Infisical CLI run: | curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash sudo apt-get install -y infisical
- name: Deploy with secrets env: INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }} run: | infisical run --env=prod -- ./deploy.shService Tokens
Section titled “Service Tokens”Create machine identity tokens for CI/CD:
- Go to Project Settings → Machine Identities
- Create new identity for the environment
- Copy the token
- Add to GitHub Secrets as
INFISICAL_TOKEN
Secret Organization
Section titled “Secret Organization”Naming Conventions
Section titled “Naming Conventions”| Pattern | Example | Usage |
|---|---|---|
SERVICE_CREDENTIAL | STRIPE_SECRET_KEY | Third-party API keys |
DATABASE_* | DATABASE_URL | Database connections |
REDIS_* | REDIS_URL | Cache connections |
*_WEBHOOK_SECRET | STRIPE_WEBHOOK_SECRET | Webhook verification |
FEATURE_* | FEATURE_NEW_CHECKOUT | Feature flags |
Folder Structure
Section titled “Folder Structure”Organize secrets by category:
project-secrets/├── database/│ ├── DATABASE_URL│ └── DATABASE_POOL_SIZE├── redis/│ └── REDIS_URL├── stripe/│ ├── STRIPE_SECRET_KEY│ └── STRIPE_WEBHOOK_SECRET├── easypost/│ ├── EASYPOST_API_KEY│ └── EASYPOST_WEBHOOK_SECRET└── internal/ ├── JWT_SECRET └── COOKIE_SECRETSecret Rotation
Section titled “Secret Rotation”Automatic Rotation
Section titled “Automatic Rotation”Some secrets are rotated automatically:
| Secret | Rotation Period | Method |
|---|---|---|
| Database passwords | 90 days | Automatic |
| API keys | On-demand | Manual trigger |
| JWT secrets | 30 days | Automatic |
Manual Rotation
Section titled “Manual Rotation”For third-party services:
- Generate new key in service dashboard (Stripe, EasyPost, etc.)
- Update secret in Infisical (all environments)
- Deploy changes
- Revoke old key in service dashboard
Access Audit
Section titled “Access Audit”Viewing Audit Logs
Section titled “Viewing Audit Logs”- Go to Project → Audit Logs
- Filter by user, secret, or date
- Export for compliance if needed
What’s Logged
Section titled “What’s Logged”- Secret reads (who, when, which environment)
- Secret updates (old hash, new hash)
- Permission changes
- Login attempts
Security Best Practices
Section titled “Security Best Practices”- Use
infisical runinstead of exporting to.env - Use environment-specific secrets
- Rotate secrets when team members leave
- Use service tokens for CI/CD (not personal tokens)
- Enable 2FA on your account
- Commit
.envfiles to git - Share secrets via Slack/email
- Use production secrets locally
- Store secrets in code comments
- Use the same secret across environments
Troubleshooting
Section titled “Troubleshooting””Secret not found"
Section titled “”Secret not found"”# Check you're in the right environmentinfisical secrets --env=dev
# Verify project initializationcat .infisical.json"Permission denied”
Section titled “"Permission denied””- Verify your role in the project
- Request access from project admin
- Re-login:
infisical login
”Token expired”
Section titled “”Token expired””# Re-authenticateinfisical login
# For CI/CD, generate new service tokenSyncing Issues
Section titled “Syncing Issues”# Force refresh secretsinfisical secrets --force-refreshEmergency Procedures
Section titled “Emergency Procedures”Compromised Secret
Section titled “Compromised Secret”- Rotate immediately in Infisical
- Deploy affected services
- Revoke old credential in third-party service
- Notify #security channel
- Document in incident log
Lost Access
Section titled “Lost Access”- Contact Platform team in #platform
- Provide your @optic.works email
- Access will be restored within 1 hour