Security Azure

Infisical on Ubuntu 24.04 on Azure User Guide

| Product: Infisical on Ubuntu 24.04 LTS on Azure

Overview

Infisical is an open source secrets management platform, a self hosted alternative to HashiCorp Vault and Doppler. Teams use it to store, organise, share and version application secrets and configuration across organisations, projects and environments, with folders, secret referencing, a REST API, a CLI and SDKs, all managed through a modern web interface. The cloudimg image runs Infisical the officially supported way, as the upstream all in one container alongside a bundled PostgreSQL and Redis, orchestrated by Docker Compose under systemd and fronted by nginx. Every image is pinned by digest and captured into the VM, so your instance starts in seconds. Because Infisical is a secrets vault, security is enforced from first boot, before the port is reachable: a unique encryption key, JWT secret, database password and cache password are generated for each VM, and a unique super administrator is pre seeded so nobody can claim your instance before you sign in. Backed by 24/7 cloudimg support.

Infisical is a trademark of its respective owner. This image is produced by cloudimg and is not affiliated with, endorsed by, or sponsored by Infisical. It ships the free and open source MIT self hosted Community core, with the enterprise features in the ee directory locked because no license key is ever set.

The Infisical secrets management view for a project, showing secrets in the Development environment with values masked

What is included:

  • Infisical v0.162.9 (the free self hosted MIT Community core), pinned by image digest
  • A bundled PostgreSQL 16 database and a bundled Redis, both pinned by image digest and reachable only inside a private Docker network (never published to a host port)
  • Docker Engine (Docker CE) with Infisical published to the loopback interface only, fronted by nginx on port 80
  • infisical.service, infisical-firstboot.service and nginx.service as systemd units, enabled and active on boot
  • A unique KMS encryption key, JWT secret, database password, cache password and a pre seeded super administrator generated per VM on first boot, never baked into the image
  • A clean, empty instance on first boot: no default account, no shipped secret, no prior data, and open self registration disabled
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; increase the size for larger teams and heavier API traffic. NSG inbound: allow 22/tcp from your management network and 80/tcp (and 443/tcp once you add TLS) for the web interface. Infisical serves plain HTTP on port 80; for production, put it behind TLS with your own domain (see the final section).

Step 1 - Deploy from the Azure Marketplace

  1. In the Azure portal, choose Create a resource and search the Marketplace for the cloudimg Infisical offer.
  2. Select the plan, then Create.
  3. On the Basics tab pick your subscription, resource group and region, name the VM, and select Standard_B2s (or larger).
  4. Choose SSH public key authentication with admin username azureuser and provide your public key.
  5. On the Networking tab, allow inbound 22/tcp from your management network and 80/tcp for the web interface.
  6. Review and create. When the VM is running, note its public IP address.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group my-infisical-rg \
  --name infisical \
  --image cloudimg:infisical:default:latest \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

Open the port the web interface needs (SSH is opened by default):

az vm open-port --resource-group my-infisical-rg --name infisical --port 80 --priority 900

Step 3 - Connect to your VM

Replace <vm-ip> with your VM's public IP address:

ssh azureuser@<vm-ip>

Step 4 - Confirm the services are running

Infisical, its bundled PostgreSQL and Redis, and nginx all come up automatically on first boot. Confirm they are active:

sudo systemctl is-active docker infisical nginx

Expected output:

active
active
active

The stack runs as three containers on a private Docker network. PostgreSQL and Redis are never published to a host port; only Infisical is published, and only to the loopback interface, with nginx in front on port 80.

systemctl reporting docker, infisical and nginx active, and the three containers running and healthy under Docker Compose

Step 5 - Secure by default: the super administrator is pre seeded

A fresh Infisical instance has no account, and the very first user to sign up becomes the instance super administrator. On a public server that is a risk: whoever reaches the sign up page first would own your instance and every secret in it. The cloudimg image closes this. On first boot, before the port is reachable, a unique super administrator is created with a per VM password, so the instance is already claimed. The same step marks the instance initialised, so a second attempt to bootstrap it is refused, and it disables open self registration, so nobody can create a new account without an invitation.

You can see the whole posture at a glance. The instance reports that it is initialised with sign up disabled, a second bootstrap attempt is refused, an anonymous API call is denied, and an attempt to self register is blocked:

The admin config reports initialized true and allowSignUp false, a second bootstrap returns HTTP 400, an anonymous API call returns HTTP 401, and a self registration attempt returns HTTP 403

You can confirm the lockdown yourself. A second attempt to bootstrap the instance is refused because it is already set up:

curl -s -o /dev/null -w 'HTTP %{http_code}\n' \
  -X POST http://127.0.0.1/api/v1/admin/bootstrap \
  -H 'Content-Type: application/json' \
  -d '{"email":"someone@example.com","password":"whatever","organization":"x"}'

A healthy, locked down instance returns HTTP 400.

Read your unique credentials (they are written to a root only file):

sudo cat /root/infisical-credentials.txt

The file holds the instance URL, the admin email (admin@infisical.local) and the per VM admin password. Keep it safe.

The per VM access notes, with the instance URL, admin email and the admin password and identity token masked

Step 6 - Sign in to Infisical

Open http://<vm-ip>/ in your browser. You are met with the Infisical login screen: there is no anonymous access. Sign in with the admin email and the password from the credentials file.

The Infisical login screen: nothing is accessible until you sign in with the per VM admin email and password

Step 7 - Explore the organization

After signing in you land on the organization overview, your security toolkit home. Secrets Management is where your projects live; the sidebar also gives you Access Control, Audit Logs and settings. The badge shows this is the free self hosted edition running the version pinned into your image.

The Infisical organization overview showing Secrets Management, Certificate Manager, KMS and Secret Scanning

Step 8 - Manage secrets in a project

Open Secrets Management and create a project, then open it to reach the secrets view. A project groups secrets by environment (Development, Staging, Production by default) and by folder path. Add a secret with Add Secret, or import a whole .env file at once. Values are stored encrypted and shown masked until you choose to reveal them; your apps and pipelines then pull them through the Infisical CLI, API or SDKs instead of hard coding them.

A project's Development environment listing several secrets with their values masked

Step 9 - Control who has access

Each project has its own Access Control, where you manage users, machine identities, groups, service tokens and roles. Because open self registration is disabled on this instance, people join by invitation only, and you assign each of them a project role. Machine identities give your applications and CI pipelines their own scoped, revocable credentials.

The project Access Control page listing the pre seeded admin user with the Admin role

Step 10 - Check the stack health from the command line

Infisical exposes an unauthenticated liveness endpoint that reports whether the instance is up and its cache is reachable. It is handy for monitoring:

curl -s http://127.0.0.1/api/status

Expected output (a healthy stack) reports "message": "Ok" along with the instance configuration, for example that Redis is configured:

The public status endpoint reporting message Ok with Redis configured

Step 11 - Invite your team and configure email

Because open self registration is disabled, add colleagues by invitation from Organization Settings, Members while signed in as the administrator. To send email invitations and enable multi factor authentication, configure SMTP: set the SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD and SMTP_FROM_ADDRESS values in /etc/infisical/infisical.env and restart the stack with sudo systemctl restart infisical. See the Infisical documentation for the full list of SMTP settings.

Step 12 - Production: your own domain with TLS

Infisical serves plain HTTP on port 80. For production, point a DNS record at the VM, put Infisical behind TLS, and set the site URL to your https domain so links and cookies use the right origin. A common approach is to add a certificate to nginx with Certbot:

sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d secrets.example.com

Then edit SITE_URL in /etc/infisical/infisical.env to https://secrets.example.com, set HTTPS_ENABLED=true, and restart the stack with sudo systemctl restart infisical. See the Infisical documentation for the full production checklist.

Support

Every cloudimg image includes 24/7 support. If you have any questions about deploying or operating Infisical on Azure, contact the cloudimg team through the Azure Marketplace listing or at www.cloudimg.co.uk.