Infisical
The open-source secrets manager - projects, versioning, machine identities - without per-identity pricing.
One-click deploy, from $25/mo on a Miget plan.
Secrets sprawl is how incidents start: API keys in CI variables, .envs in Slack, tokens nobody rotated. Infisical is the open-source consolidation point - projects with environments, versioned secrets with point-in-time recovery, references, dynamic secrets, and machine identities for non-human consumers.
The pricing landscape makes self-hosting pointed: Infisical Cloud Pro is $18 per identity per month and machines count as identities - a dozen services and runners is real money. HashiCorp’s hosted Vault runs four figures for production. This stack is $25 flat: stateless container, managed Postgres, noeviction Valkey, auto-migrations.
And the consumers are already in your project: inject secrets into the CI runner templates, agents, and apps via the CLI, SDKs, or machine-identity auth - with audit and rotation instead of copy-paste.
Upstream project: Infisical
#what you get
- Projects, environments, secret versioning + point-in-time recovery
- Secret references, dynamic secrets, rotation
- Machine identities for services, CI, and agents
- Integrations: K8s operator, CI, Terraform, SDKs, CLI
- Stateless on managed Postgres; migrations on start
- MIT core (enterprise dirs licensed separately upstream)
#topology
| Service | Role | Public |
|---|---|---|
| infisical | app + API (:5000) | yes |
| broker / db | noeviction Valkey / managed Postgres | no |
#miget sizing
// this stack needs
2.8 GiB RAM · 5 GB disk · 3 services
The Node app wants ~1-1.5 GiB; everything durable is in the managed Postgres. SMTP is optional (invite/MFA emails).
Hobby - recommended fit
$25/mo
2 vCPU · 4 GiB · 80 GiB disk
Headroom for your own apps: 8 GiB at $49/mo
Professional - production
$43/mo
2 vCPU · 4 GiB · 25 GiB disk
Dedicated resources, production SLOs - plan details
One Miget plan is a fixed pool of compute - the whole stack (managed databases included) deploys inside it, and anything left over runs your other apps. No per-service or per-seat math.
#vs. the managed service
What the hosted equivalents charge, against the flat Miget plan this stack fits on. Prices as of June 2026, sources linked.
| Service | Plan | Monthly | What you get |
|---|---|---|---|
| Infisical on Miget ★ | 4 GiB plan | $25 | this whole stack, flat - no usage meters, and room left for your own apps |
| Infisical Cloud | Pro | ~$18 | per identity/mo - and machines count as identities |
| HCP Vault | Standard (small) | ~$1152 | ~$1.58/hr + ~$112 per client/mo; the $22/mo dev tier has no SLA |
#vs. other PaaS
Estimated monthly cost of running this exact stack (2.8 GiB RAM, 5 GB disk, 3 containers) elsewhere, from published June 2026 rates.
| Platform | Est. monthly | Notes |
|---|---|---|
| Miget ★ | $25 flat | compose stacks first-class: one deploy, dedicated vCPU, managed Postgres/Valkey, volumes and TLS all included in the plan |
| Heroku | ~$138 | no volumes; nothing between 1 GB ($50) and 2.5 GB ($250) dynos - 2 GB containers cost far more than shown |
| DO App Platform | ~$38 | no persistent volumes - stateful containers need managed DBs/Spaces (base $5 Spaces included here) |
| Render | ~$36 | per-service instances (0.5 GB $7, 2 GB $25) - every container is its own paid service |
| Railway | ~$28 | usage-based ($10/GB RAM-mo); vCPU billed separately at $20/vCPU-mo on top |
| Fly.io | ~$17 | cheapest sticker price - but burstable shared CPUs (1/16 core; dedicated vCPUs cost ~2-3×), no compose deploys (one app per container, manual wiring), managed DBs billed extra |
Estimates assume RAM fully allocated at published on-demand rates - and sticker price isn't the whole comparison: the cheaper rows buy burstable shared CPUs, per-service wiring instead of a compose deploy, and managed databases billed separately. Heroku and DO App Platform have no persistent volumes at all - stateful stacks like this one need workarounds there.
#deploy it
On Miget
- Create a Compose Stack in app.miget.com pointing at the templates repository
- Set the stack path to
infisical -
Set the required variables:
ENCRYPTION_KEY / AUTH_SECRET / REDIS_AUTH, core secrets (openssl one-liners)SITE_URL, the app’s https domain after first deploy
- Deploy. Miget layers
compose.miget.yaml(RAM, privacy, volumes, managed services) automatically
Locally first?
Every template is portable, vanilla Docker Compose - the Miget overrides are ignored locally:
git clone https://github.com/deployable-sh/stacks
cd miget-compose-templates/infisical
docker compose up -dSame files, same behavior. The template README covers connection strings and scaling notes.
#faq
How does the cost compare to Infisical Cloud or Vault?
Cloud Pro is $18/identity/month with machines counted - 10 services + 5 humans is $270/month. HCP Vault’s production tier starts around $1,150/month plus per-client fees. This stack is $25 flat with identities uncounted.
How do my deployments consume secrets?
Machine identities + the CLI/SDKs: a service authenticates and pulls its environment at boot or build. The CI runner templates in this catalogue pair naturally - runners fetch fresh secrets per job instead of storing them in forge settings.
Infisical or just platform env vars?
Env vars are fine until you need rotation, versioning, audit, sharing across stacks, or secrets for machines outside the platform. Infisical adds that layer - and writes back to env-var systems via integrations where that remains the delivery mechanism.
Ship Infisical today
One compose stack, 2.8 GiB of RAM, from $25/month flat, and it runs on your laptop with the same files.