- You cannot make HTTP calls to Infisical to read/write secrets in plaintext.
- You cannot leverage non-E2EE features like native integrations and in-platform automations like dynamic secrets and secret rotation.
E2EE Disabled
Example read/write secrets without client-side encryption/decryption
E2EE Enabled
Example read/write secrets with client-side encryption/decryption
FAQ
Should I have E2EE enabled or disabled?
Should I have E2EE enabled or disabled?
We recommend starting with having E2EE enabled and disabling it if:
- You’re self-hosting Infisical, so having your instance of Infisical be able to read your secrets isn’t an issue.
- You want an easier way to read/write secrets with Infisical.
- You need more power out of non-E2EE features such as secret rotation, dynamic secrets, etc.
How can I enable/disable E2EE?
How can I enable/disable E2EE?
You can enable/disable E2EE for your project in Infisical in the Project Settings.
Is disabling E2EE secure?
Is disabling E2EE secure?
It is secure and in fact how most vendors in our industry are able to offer features like secret rotation. In this mode, secrets are encrypted at rest by
a series of keys, secured ultimately by a top-level
ROOT_ENCRYPTION_KEY located on the server.If you’re concerned about Infisical Cloud’s ability to read your secrets, then you may wish to
use it with E2EE enabled or self-host Infisical on your own infrastructure and disable E2EE there.As an organization, we do not read any customer secrets without explicit permission; access to the ROOT_ENCRYPTION_KEY is restricted to one individual in the organization.