Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical-docs-self-host-infra.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

PostgreSQL is the authoritative datastore for all persistent data in Infisical. Every piece of long-lived state — secrets, users, configurations, audit history — is stored in PostgreSQL. It is the single source of truth for the entire platform.

What it stores

DataDescription
SecretsAll secrets and their full version history
Identities & UsersUser accounts, machine identities, and their credentials
Projects & OrganizationsProject configurations, organization settings, and memberships
Access ControlRoles, permissions, and access policies
Audit LogsRecords of all actions taken within the platform
IntegrationsConfiguration for third-party integrations and sync targets
Certificates & PKICertificate authorities, certificates, and PKI configurations
Encryption KeysEncrypted project keys used for secret encryption

Supported modes

ModeSupported
Standalone (Single Instance)Yes
Read Replicas (Streaming Replication)Yes
For multi-region deployments with read replicas, see the replication guide.

Configuration

Configure PostgreSQL connectivity by setting the following environment variables on your Infisical instance.
The database user must be granted all privileges on the Infisical database, including the ability to create schemas, tables, indexes, and perform all CRUD operations.
DB_CONNECTION_URI
string
default:""
required
Postgres database connection string.
DB_ROOT_CERT
string
default:""
Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. Use the following command to encode your certificate: echo "<certificate>" | base64Many cloud providers provide a CA certificate for their data regions that you can use to secure your connection with SSL.
If you’re hosting your database on AWS RDS, you can use their publicly available CA certificate as the database root certificate.You can find all the available CA certificates for AWS RDS on the official AWS RDS documentation.As an example, if your RDS cluster is hosted in us-east-1 (US East, N. Virginia), you can use the following root certificate: https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem.Remember to base64 encode the certificate before setting it as the DB_ROOT_CERT environment variable. cat /path/to/certificate.pem | base64.
DB_ROOT_CERT=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1 # .... (base64 encoded certificate)
DB_CONNECTION_URI=<rds-endpoint>?sslmode=verify-ca # or verify-full depending on your security policies

Impact of data loss

PostgreSQL data loss is critical and unrecoverable without a backup. Because PostgreSQL is the sole source of truth for all persistent state, losing this data means losing:
  • All secrets and their version history
  • User accounts, identities, and credentials
  • Project and organization configurations
  • Audit logs and compliance records
  • Integration settings and encryption keys
There is no way to reconstruct this data from other components. Redis caches are ephemeral and do not contain the full dataset.
Always maintain regular PostgreSQL backups and test your restore process. Without a working backup, PostgreSQL data loss is permanent.

Recommendations

  • Use a managed service (e.g., AWS RDS, Google Cloud SQL, Azure Database for PostgreSQL) for automated backups, failover, and maintenance.
  • Enable point-in-time recovery (PITR) for granular restore capabilities.
  • Test restores regularly. A backup that has never been tested is not a backup.
  • High availability: Configure streaming replication with automatic failover to minimize downtime.
  • Version: Infisical supports PostgreSQL versions 14+, with version 16 being the most extensively tested.
For hardware sizing, see hardware requirements.