Infisical on Ubuntu 24.04 on Azure User Guide
Overview
Infisical is an open source secrets management platform, a self hosted alternative to HashiCorp Vault and Doppler. Teams use it to store, organise, share and version application secrets and configuration across organisations, projects and environments, with folders, secret referencing, a REST API, a CLI and SDKs, all managed through a modern web interface. The cloudimg image runs Infisical the officially supported way, as the upstream all in one container alongside a bundled PostgreSQL and Redis, orchestrated by Docker Compose under systemd and fronted by nginx. Every image is pinned by digest and captured into the VM, so your instance starts in seconds. Because Infisical is a secrets vault, security is enforced from first boot, before the port is reachable: a unique encryption key, JWT secret, database password and cache password are generated for each VM, and a unique super administrator is pre seeded so nobody can claim your instance before you sign in. Backed by 24/7 cloudimg support.
Infisical is a trademark of its respective owner. This image is produced by cloudimg and is not affiliated with, endorsed by, or sponsored by Infisical. It ships the free and open source MIT self hosted Community core, with the enterprise features in the ee directory locked because no license key is ever set.

What is included:
- Infisical v0.162.9 (the free self hosted MIT Community core), pinned by image digest
- A bundled PostgreSQL 16 database and a bundled Redis, both pinned by image digest and reachable only inside a private Docker network (never published to a host port)
- Docker Engine (Docker CE) with Infisical published to the loopback interface only, fronted by nginx on port
80 infisical.service,infisical-firstboot.serviceandnginx.serviceas systemd units, enabled and active on boot- A unique KMS encryption key, JWT secret, database password, cache password and a pre seeded super administrator generated per VM on first boot, never baked into the image
- A clean, empty instance on first boot: no default account, no shipped secret, no prior data, and open self registration disabled
- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; increase the size for larger teams and heavier API traffic. NSG inbound: allow 22/tcp from your management network and 80/tcp (and 443/tcp once you add TLS) for the web interface. Infisical serves plain HTTP on port 80; for production, put it behind TLS with your own domain (see the final section).
Step 1 - Deploy from the Azure Marketplace
- In the Azure portal, choose Create a resource and search the Marketplace for the cloudimg Infisical offer.
- Select the plan, then Create.
- On the Basics tab pick your subscription, resource group and region, name the VM, and select Standard_B2s (or larger).
- Choose SSH public key authentication with admin username
azureuserand provide your public key. - On the Networking tab, allow inbound
22/tcpfrom your management network and80/tcpfor the web interface. - Review and create. When the VM is running, note its public IP address.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group my-infisical-rg \
--name infisical \
--image cloudimg:infisical:default:latest \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Open the port the web interface needs (SSH is opened by default):
az vm open-port --resource-group my-infisical-rg --name infisical --port 80 --priority 900
Step 3 - Connect to your VM
Replace <vm-ip> with your VM's public IP address:
ssh azureuser@<vm-ip>
Step 4 - Confirm the services are running
Infisical, its bundled PostgreSQL and Redis, and nginx all come up automatically on first boot. Confirm they are active:
sudo systemctl is-active docker infisical nginx
Expected output:
active
active
active
The stack runs as three containers on a private Docker network. PostgreSQL and Redis are never published to a host port; only Infisical is published, and only to the loopback interface, with nginx in front on port 80.

Step 5 - Secure by default: the super administrator is pre seeded
A fresh Infisical instance has no account, and the very first user to sign up becomes the instance super administrator. On a public server that is a risk: whoever reaches the sign up page first would own your instance and every secret in it. The cloudimg image closes this. On first boot, before the port is reachable, a unique super administrator is created with a per VM password, so the instance is already claimed. The same step marks the instance initialised, so a second attempt to bootstrap it is refused, and it disables open self registration, so nobody can create a new account without an invitation.
You can see the whole posture at a glance. The instance reports that it is initialised with sign up disabled, a second bootstrap attempt is refused, an anonymous API call is denied, and an attempt to self register is blocked:

You can confirm the lockdown yourself. A second attempt to bootstrap the instance is refused because it is already set up:
curl -s -o /dev/null -w 'HTTP %{http_code}\n' \
-X POST http://127.0.0.1/api/v1/admin/bootstrap \
-H 'Content-Type: application/json' \
-d '{"email":"someone@example.com","password":"whatever","organization":"x"}'
A healthy, locked down instance returns HTTP 400.
Read your unique credentials (they are written to a root only file):
sudo cat /root/infisical-credentials.txt
The file holds the instance URL, the admin email (admin@infisical.local) and the per VM admin password. Keep it safe.

Step 6 - Sign in to Infisical
Open http://<vm-ip>/ in your browser. You are met with the Infisical login screen: there is no anonymous access. Sign in with the admin email and the password from the credentials file.

Step 7 - Explore the organization
After signing in you land on the organization overview, your security toolkit home. Secrets Management is where your projects live; the sidebar also gives you Access Control, Audit Logs and settings. The badge shows this is the free self hosted edition running the version pinned into your image.

Step 8 - Manage secrets in a project
Open Secrets Management and create a project, then open it to reach the secrets view. A project groups secrets by environment (Development, Staging, Production by default) and by folder path. Add a secret with Add Secret, or import a whole .env file at once. Values are stored encrypted and shown masked until you choose to reveal them; your apps and pipelines then pull them through the Infisical CLI, API or SDKs instead of hard coding them.

Step 9 - Control who has access
Each project has its own Access Control, where you manage users, machine identities, groups, service tokens and roles. Because open self registration is disabled on this instance, people join by invitation only, and you assign each of them a project role. Machine identities give your applications and CI pipelines their own scoped, revocable credentials.

Step 10 - Check the stack health from the command line
Infisical exposes an unauthenticated liveness endpoint that reports whether the instance is up and its cache is reachable. It is handy for monitoring:
curl -s http://127.0.0.1/api/status
Expected output (a healthy stack) reports "message": "Ok" along with the instance configuration, for example that Redis is configured:

Step 11 - Invite your team and configure email
Because open self registration is disabled, add colleagues by invitation from Organization Settings, Members while signed in as the administrator. To send email invitations and enable multi factor authentication, configure SMTP: set the SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD and SMTP_FROM_ADDRESS values in /etc/infisical/infisical.env and restart the stack with sudo systemctl restart infisical. See the Infisical documentation for the full list of SMTP settings.
Step 12 - Production: your own domain with TLS
Infisical serves plain HTTP on port 80. For production, point a DNS record at the VM, put Infisical behind TLS, and set the site URL to your https domain so links and cookies use the right origin. A common approach is to add a certificate to nginx with Certbot:
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d secrets.example.com
Then edit SITE_URL in /etc/infisical/infisical.env to https://secrets.example.com, set HTTPS_ENABLED=true, and restart the stack with sudo systemctl restart infisical. See the Infisical documentation for the full production checklist.
Support
Every cloudimg image includes 24/7 support. If you have any questions about deploying or operating Infisical on Azure, contact the cloudimg team through the Azure Marketplace listing or at www.cloudimg.co.uk.