Skip to main content
Each project in Infisical can have End-to-End Encryption (E2EE) enabled or disabled. By default, all projects have E2EE enabled which means the server is not able to decrypt any values because all secret encryption/decryption operations occur on the client-side; this can be (optionally) disabled. However, this has limitations around functionality and ease-of-use:
  • You cannot make HTTP calls to Infisical to read/write secrets in plaintext.
  • You cannot leverage non-E2EE features like native integrations and in-platform automations like dynamic secrets and secret rotation.

E2EE Disabled

Example read/write secrets without client-side encryption/decryption

E2EE Enabled

Example read/write secrets with client-side encryption/decryption

FAQ

We recommend starting with having E2EE enabled and disabling it if:
  • You’re self-hosting Infisical, so having your instance of Infisical be able to read your secrets isn’t an issue.
  • You want an easier way to read/write secrets with Infisical.
  • You need more power out of non-E2EE features such as secret rotation, dynamic secrets, etc.
You can enable/disable E2EE for your project in Infisical in the Project Settings.
It is secure and in fact how most vendors in our industry are able to offer features like secret rotation. In this mode, secrets are encrypted at rest by a series of keys, secured ultimately by a top-level ROOT_ENCRYPTION_KEY located on the server.If you’re concerned about Infisical Cloud’s ability to read your secrets, then you may wish to use it with E2EE enabled or self-host Infisical on your own infrastructure and disable E2EE there.As an organization, we do not read any customer secrets without explicit permission; access to the ROOT_ENCRYPTION_KEY is restricted to one individual in the organization.