1:48 Introduction and Guest Welcome

1:48 Hello and welcome back to the Rawkode Academy. I'm your host David Flanagan, also known across the Internet as Rawkode. Today is another episode of Rawkode live where we take a look at open source software within the cloud native DevOps cloud world and try to help you solve some challenges with interest in software. Today is no exception. We're tackling the wonderful world of secrets and secret operations and secrets management. And today, we're taking a look at a project called Infisical, And I'm joined by Vlad from the Infisical team to walk us through it. Hey, Vlad. How are you?

2:22 Hey. Doing great. How are you? Yeah. Not too bad. This is always the highlight of my day, but I get to take a look at some awesome open source software. So before we talk about Infisical, could you please take a moment to introduce yourself and tell everyone about you? Yeah. Yeah. Of course. My name is Vlad. Thanks so much for having me. My name is Vlad. I'm one of the cofounders of Infisical, one of the first maintainers as well of the open source project. And, yep, previously, I worked at, which is now one of the largest neobanks

2:56 in Europe. I also worked at Figma. I I think a lot of developers probably know Figma. It's a very popular design tool. And yeah. And and now I'm building in physical. I I guess I'll answer more questions about it. Yeah. Yeah. We can get into that definitely. Yeah. That's a good lineage you've got. At Figma, I think you're right. Everybody's heard of it. Yeah. What's interesting is I I like WebAssembly a lot, and I always go into conferences and talk about it. And I'm like, who's used WebAssembly? They always nobody ever puts their hands up.

3:27 And I'm like, well, you're just using it. You don't know. Like, Infisq is always the example. Like, if it's like their their platform is made possible, I believe, through a lot of WebAssembly. Anyway, I digress. It is. And and Figma was one of the first users and and, like, proponents of it ever. So yeah. Amazing what you can do with web technologies. So Yeah. Let's take a look at your current let's talk about your your new project and physicall. First, you're a brave person tackling secrets. Right? I mean, that to me is a scary thing.

3:49 The Problem of Secrets Management

3:57 I I would never, in my right mind, think I'm gonna sit down and make the world secure by creating a secrets management platform. So maybe you could give us a bit of history of why you decided to tackle this problem. It is well well, first of all, yes. It's a it's a scary problem, but, also, it is one of the biggest problems that developers and companies and different engineering organizations and teams face. And and and it's one of those problems that they're they kinda you know, like, first of all, there is no perfect solution for

4:26 it yet. And because all the solutions that are available have certain kind of limitations. And developers are also not really willing to build a solution in house just because of high how high the stakes are for it. And and which is why we decided to build Infisical, which is, you know, a single platform, source that you're able to use for managing your application and infrastructure credentials across, well, all of your infrastructure, across your engineering teams, with your teammates, and and so on. Awesome. This is a space, you know, as I go back five years and was predominantly either

5:09 crazy enterprise call us pricing. Right? You know, tools. I think CyberArk was probably one of the bigger ones. Or or Vault, which is open source, but is notoriously difficult to operate. And trust me, I I have tried many times and I'm sure you maybe have in the past as well. It's it's very difficult. And Infisical seems to come out of that from a different point of view. It's it's not scary. It doesn't seem challenging to operate. I guess that's something that you set out from the start to be like, let's make this different. Is that a

5:30 Infisical's Approach: Security Shift Left

5:40 fair assumption? It it it is. And and how we view so something that I'll also say is how we view Infisical as we try to center it around the trend of security shift left. And this is ultimately a trend where, you you know, in the early days, predominantly security was the responsibility of a single team within the organization, which is basically the security team. But right now, what's happening is that you see companies like Mercedes or Uber or AstraZeneca, they they are using secret managers and, you know, like, some of those companies that you mentioned, and yet their their secrets are still

6:19 leaked. So they're kinda, like, not protected against those kind of disasters. And and, obviously, for them, it's very high stakes. For AstraZeneca, they have lots of medical data and and and so on. And so what's happening is that developers are kinda, like, kept outside the loop, and they don't have the right tools to actually act responsibly and and code securely and follow these secure practices. And so this is what we provide within Infisical. And and our goal and kinda, like, our thinking about it is that you can build the most secure tool ever, could be Vault. But if it's so hard

7:00 to operate, developers are just not going to use it, and they're gonna find ways around it. So, ultimately, it's not reaching its goal. And and this is what we want to solve within Infisical. We want to provide a very simple solution, and we want to provide all these kinda, like, leftmost tools for developers to operate secrets. You know, whether it's CLI or secret scanning products that we provide or some other secret sharing features, you should be able to do it within physical in just one platform. Yeah. I resonate with what you just said there a lot. You know, I'm in the

7:35 Kubernetes space. I've been there for a while and, you know, we vault was never part of anyone's Kubernetes cluster. And maybe now, but it wasn't for the last seven years. And instead, we came up with these workaround solutions to the point we have tools like SOPS from Mozilla, where we actually just encrypt everything in the story and get. And then key management becomes a challenge after that, and our secrets become very static. Right? We can't work with them with SDKs. Like, one of the coolest features, but in physical, it's okay to use. We can do really cool things with our our

8:04 secret properties. Yeah. Throwing things that get encrypted. I never resonated with me. I hated it. And I think that's just because vault was notoriously difficult and people didn't wanna take that that burden on. So yeah. I'm hoping people will be excited with what they're gonna see about Infisical. But before we jump into the demo, I think you tell us about the name. Where did that come from? Well, the name actually doesn't doesn't mean much. What what it means is it means kinda like infinite and physical. So it's in physical or or beyond physical. You know, we are operating a lot of

8:25 The Origin of the Name "Infisical"

8:43 these credentials and and everything. And yeah. But but that's kinda it's kinda like a combination of engineering and DevOps and and these kinds of things. Yeah. It it was it was also I must say, was it was available in a .com domain, and we wanted the .com domain. Always a big part of starting a company. Right? Is what could all.org do you get? Right. Yeah. Your your infinity logo works with the name, and, of course, the DevOps cycle loop is also that kind of infinity thing. So I guess there's a lot. If you wanna make up a really compelling story, it's

9:17 definitely waiting there for you. Yeah. Alright. Shall we get hands on and show people how they can get started and what Infisical is? You happy for that? Yeah. Yeah. Yeah. Yeah. Perfect. Let me just clear, you know, a kinda like a sample and physical project. Mhmm. Yeah. Are you able to see my screen? It's a it's a very, indeed. Yeah. It's live. Go Perfect. So I I created a, you know, a Rawkode organization here, and right now, we're in the project call server just for folks to understand. And so, ultimately, when you are in the

9:45 Project Overview and Environments

9:58 Infisical project, the first difference that you see from, you know, traditional secret management solutions is that we have this concept of environments. So in this case, you see that in this project, we have development staging and, you know, three different production environments, such as prod Asia, prod US, and prod EU. And these are highly customizable. You know, we see a lot of engineering teams have, for example, like a preprode environments or multiple staging environments or some some teams have different development environments for features they are developing and so on. So, yeah, this environment concept is is very

10:38 common across, you know, like, how engineering teams organize their secrets and their applications. And and this screen gives you a bird's eye view of everything that's happening. You can immediately know if a secret is missing in a particular environment or if if if the secret is there, but the value is not specified yet. You can immediately see it on the screen. Yeah. What what are the red squares at the top for Asia and EU? These are just telling you, you know, you're missing two secrets compared to other environments. Alright. So if you're you you see we're missing

11:11 email, SMTP. We're missing Stripe publishable key. So then it just tells you, hey. Like, be careful. There is, like, two secrets missing. Alright. Nice. Yep. Because, ultimately, like, why why this view exists is because we've seen times and times, you know, when developers are deploying something and then they accidentally forgot to specify a certain environment variable or secrets or configuration. And then they're, you know, they're trying to figure out why their deployments don't work, and and this feature makes these things much, much easier. Yeah. That's one of the things I've noticed from exploring Infisical and going through the documentation.

11:47 It's not you don't you're not just encouraging people just to put the secret material in it. You're like, just get rid of your ENV file. Just put everything into Infisical, and then you have this level of visibility of what's missing and what's not and so forth. And I I like that approach. Yes. It it it could be anything. So now if we go into any particular environment, so we can go so what you see here is, you know, a set of key value pairs, but the value itself can be anything. It could be a multiline secret, for example, like

12:02 Managing Secrets: Referencing Values

12:18 a JSON file. It could be an SSH certificate. And in in physical, kinda, like, automatically parse it for you in the right format, But it could also be a configuration. It it it yeah. It's really anything that you might that differentiates your environment, yeah, across different environments. Next. Yeah. And so now we are you can see we're in the development environment. And here, it's kinda like a deeper view into any particular environment. There is a lot of features that are embedded into it. So for example, if you take the DB URL, you can see that the value is a

12:59 MongoDB access token. And the cool thing about it is that it's actually able to reference other secrets. So in this case, you can see that we are referencing database password and database username. So every time we update database password and database username, it will actually be propagated to, you know, all the other mentions of this particular sequence. And and right now, you know, we are querying it from this particular environment. We could also query it from reference it from other environments. So in this case, we're you're doing it from staging. And, yeah, it it it it's really up

13:37 to you on how you want to set it up. Yeah. I like that. Yeah. And and this feature, you know, a lot of engineers using us, they like it a lot because, ultimately, you know, it automates a lot of things. It allows them to just update the secret once, and the values will be propagated everywhere it's being used. So it becomes very convenient. Yeah. And and there's lots of other things. So for example, you can add tags to your secrets. If you have hundreds or we have some teams have thousands or tens of thousands of secrets,

14:04 Metadata: Tags and Comments

14:13 then this becomes very convenient because they can just filter or search for those later on. You can also add comments to your secrets. So, you know, if you're onboarding new people to your team or you just want to remember how to generate a certain encryption key, then you can just specify it here. You can think of it as metadata fields, and you will always kinda, like, have it nearby. Cool. Yeah. Yeah. Yeah. And let's see. What else? Another thing that that people like a lot is this feature called overwrites. So by default, all these all these secrets

14:48 Secret Overrides

14:55 are shared across users or machines that have access to a particular environment. But with the override feature, for example, let's say I'm a developer and and I'm working on a new feature. There is a certain for example, I update my SendGrid ID to another value. Now I can just click this button, and it's gonna override it with my personal value without affecting the workflows for the rest of the team. And so this is useful for either, you know, like local development when you constantly have to update these values to try out new things, or this is

15:31 also useful for highly sensitive things like database password and database username. They will likely be unique for every engineer, So then you can just override them with their personal values. I guess, yeah, if you're, like, a platform team, you could provide the key with an empty value, and then everyone has to go in and provide their override. Yeah. Exactly. So, like, what we see people do is either provide it with an empty value or, for example, in this case, you see the value is just username, and then, you know, I have to go ahead and

15:59 change it with Vlad. There is also a comment that says override. So you you like, people kinda know that they have to override it. Yeah. Flick. Yeah. And yeah. Let's see. Everything is obviously version controlled, so you're able to see how the secret value has been changing over time. And this also ties into the point of time recovery functionality. So you can every time you make a change with your secrets in any particular environment, you can go always go back in time and just roll back with a single button. And, yeah, here you can, you know, inspect

16:15 Versioning and Point-in-Time Recovery

16:39 the changes. And this is very useful if you make an error or you just want to see what has happened in this particular snapshot for debugging purposes, for example. Okay. Cool. I guess it also gives you visibility into, like, if someone on the team, their machine was compromised and someone updated values, then you would have full visibility into how to handle that. Yeah. So this one is actually even more than that. You would you should look into audit logs because Infisical automatically, you know, logs all of these different events. And, you know, it you can filter it

17:07 Audit Logs for Visibility

17:16 by source. You know? So, like, are you is it happening through the SDKs or web or CLI, whatever it is. And here it's asked, you know, like, who is the actor, whether it's user or machine, which user, for example, or which machine, what's the source. For example, right now, we're looking at in web, and this is my I p v six address. And here, like, some metadata fields that are specific to every event. So, yes, here, you would be able to see, you know, like, everything that that could be happening. Oh, so if someone's machine was compromised, you

17:50 could literally come into here, filter by the user, and get every read from a certain point of time, and then you know to have to go and re rotate all of those credentials. Yes. Exactly. So you're you're able to rotate either manually or we have automatic rotation. Yeah. Very cool. So you're able you're able to see it all here. You you're also able to integrate it with your logging solution. If you're using, like, a SIEM or something, then, yes, this would be very helpful for for these kind of, like, compliance use cases. Yeah. Yeah. Let's see. So while

18:31 Organizing Secrets with Folders

18:31 we're still at it, so something that I'll also say is by default, the structure of Secrets and Infisical is very flat, and this is because, you know, when we see engineers start using Infisical, this is kinda like what they want because they don't need all this complexity that traditionally been with, like, different path and and so on in secret management. But sometimes, you know, when teams become larger and and their projects and and products become larger, then there starts to they start to have the need for for folders. And this is basically functionality of organizing secrets in the in the particular

19:09 directories. You can nest these folders infinitely. So, really, you are able to create the structure that works for your use case. It's very, very highly customizable. Is there, from your experience, a preferred approach to how to use folders or go flat? Do you see something that works better, or is it purely down to the team and what they're doing? It's really down to the team. It it also really depends. For example, some teams are changing to Infisical from existing secret managers, so they've already been using something before. So then they are trying to imitate the

19:45 structure from those secret managers into Infisical. So yeah. And and then they're very easily able to do that with folders. But but, really, you know, like, one thing that we see is, for example, split by microservices or kinda, like, split by functionalities, for example, like billing or email or some people also put kinda, like, more sensitive secrets into a specific folder, and then they are able to access control this folder much easier. For example, there could be a folder with encryption keys and and kinda like very few people on the team would get access to that.

20:25 Okay. So folders can also be a means of splitting up the the RBAC across the project. If if it's flat, everybody has access to to everything. But if you bring in folders, you can change the policies across the folders, if I understood that correctly. Yeah. Yes. Yes. Definitely. And I I can also show you how it works in in a few minutes. But, yes, the the RBAC access controls, you're you're able to integrate them very well with folders. Alright. Nice. Yeah. And yeah. So, actually, access control is a huge part, obviously, of Infisical, you know, just because

20:59 Access Controls and Permissions

21:02 of the nature of of secret management. But before we move on to that, I I wanna show you another feature that people are usually very excited about. So here, you can see that we are in the prod Asia environment. And here, we have this green icon that says prod US. And and what this means is actually an important icon. So what's happening is that we actually inside our prod Asia environment, we are inheriting the secrets from the prod US environment. So prod US becomes our core production environment, and then the rest of the secrets is

21:10 Secret Approval Policies

21:41 actually being overridden. So they are unique for prod Asia. Some secrets will be equivalent, like the same across two environments. Some secrets will be different, and and this is what you can see here. Okay. Yeah. There are a lot of other use cases for it. Sometimes it's with some kind of preview environments or staging environments or pre prod environments. Kinda like having the score environment could be very handsy. So what takes precedence here? The imports or the secrets below it? The the secrets afterwards. Right. Right. You you can kinda see here, you know, if if

22:16 it's present in the dashboard, it means that the secret is being overridden by specific Asian secrets. Very cool. Yeah. I like that. I don't think I really fully comprehended how that works, but I have used the imports. I have microservices, and I realized that I was copying the same three tokens all the time in all of them. And then I end up just creating a folder at the top and then import that into each microservice. And it worked really well. But yeah. Yeah. The this is what people do as well. Because so for example, you know, some

22:44 people might have a folder with, for example, email, like SendGrid related secrets, And then they need to import the same folder into all of their environments. So they then they're able to take this folder from, let's say, the core environment. They have it in physical and import it everywhere everywhere else. So then, you know, if they need to update the secret, they only update it once and it gets propagated everywhere. Alright. Nice. I like that. Yeah. Let's see. So we can probably move on to the access controls. So in in Infisical, how you can think

23:19 about it is we have the concept of identities, and these identities could either be humans or machines. So for for example, humans, you know, it's any developer, any DevOps engineer who has access to the Infisical dashboards or also, you know, API or CLI or all the other formats that we provide for accessing secrets. But identities could also be machines. And so machine identities are useful for, for example, managing CICD pipelines or your production environments or, you know, something more automated. So you you basically, how you can think of it is is people are kinda like

24:02 more manual workflows, and machines are much more automated workflows. But the nice part about it is that they're kinda equivalent, and both of them have the role that can be assigned to it. And then this role gives them the corresponding set of permissions for accessing specific environments and and so on. Some roles are available by default, but you're actually able to create any role, the any custom role that you want. And you're able to specify, for example, in the prod Asia environment for these specific secrets, people are only able to maybe create new secrets, but they can't view or modify or

24:43 delete the existing ones. So, yeah, they very you know, again, very, very highly customizable roles. You can do you can manage roles or project members or environments or service tokens with them and, yeah, make sure that people have the right set of permissions or machines. Nice. Yeah. I I I know you were also like, you I think you had some kinda, like, suggestions about more, like, attribute based access controls, if I remember correctly. Yeah. That comes back to kind of my mono repository use case where Yeah. You know, I I think for my situation and I

25:26 don't know how niche that is versus what you see from all your actual customers and such. But, you know, I think there's rules to access secrets, which I mean, you've got rules. Right? But like say, a DevOps person, they're always gonna need access to secrets tagged with cloud or infra or whatever. And I just figured that approach scales better for a mono repository where I can't I don't wanna have to be configured loads of paths all the time. Yeah. It it could work. So we you know, we've been thinking about it a lot, and and we are actually right now soon

26:00 we will be releasing the revamp to access controls. And so and and, you know, it's access controls as well as all the other adjacent features to it. And maybe I can talk about two of them in a bit. But, yes, I I think there is definitely a lot of room for this kinda, like, tag based or attribute based access controls. There is also a lot of rules that you can add on top of that. For example, you know, if a user is accessing secrets from a particular IP address, then they get a role x. But if they're accessing it from a different

26:41 IP address or from a different network, then they get a role y. So these kind of, like, changing roles is also a very, very interesting concept. Yeah. I guess you you've you've got people using this d n d. I'm sure you use it yourselves, d n d. Like, it's it's like that video. I don't know if you ever seen it. It went viral on Twitter maybe last year. And it's like the the designer watching someone play with their product and it's like the box with the star hole and the circle hole and the square hole and they put all the shapes in

27:13 the one hole and they're like Yeah. With that. It's like, you know, when you have an open source project, the people are always gonna think we are the wonderful ways to use it. So it's just nice and refreshing when people take on board ideas and and talk about them. So, yeah, I'm excited to see what he's come up with. No. It it it it's gonna be very cool. So so one thing that we also already have is something called secret approvals. I I don't know if you if you had a look into that before. But, basically, how it works is

27:45 so you see, we are right now in the Prod US environment. And in the Prod US environment, there is this lock icon, and it says that it's protected by policy, prod US. So now if, you know, as an engineer, if I want to update secrets in this particular environment, it actually one process might change. Instead, it will work similar to how you commit or raise a PR in Git. You know? So before merging your code to main, it has to be approved by one or multiple other people on your team. And we have the similar concept with secrets.

28:18 You know? Before you merge your changes into the production environments, it has to be approved by one of the admins on the team that you prespecify or maybe multiple admins. And here, you see you someone submit a request, then I'm able to approve or reject it depending on, you know, if if it makes sense or not. And you these policies, you know, they can be specified very freely. You can specify who is able to make changes for or approve changes for every particular environment and how many approvals you need and so on. And and, actually, how this

28:53 feature started is one of our customers, she used to be a head of infrastructure in in a very large company, and they had this error twice where they updated secrets and like, a one of the production environments. And they they made a mistake accidentally because there wasn't a second person to kinda, like, look over the change, and then the production went down twice. So first of all, like, this approval functionality is good for compliance and making sure that nothing goes into production that's unwanted, but, also, it just gives you another set of eyes to make sure that everything is stable.

29:38 Yeah. I like that that pull request format for making changes. That's very cool. I I I'd seen the thing in the menu bar. I'd never clicked on it because I'm a team of one. So I just I was like, I don't know what that is. And but, yeah, I can see how that's really gonna be beneficial for larger teams that are that are working. Yeah. And and and you know what? Actually, I feel like we hear this a lot, and I think we're gonna be unifying this in the larger, you know, access control tab, which is gonna be, like, universal, all the

30:04 things around access controls and in physical that that that you might need. And there is another thing, another feature that will be coming out very soon here, and it will probably be called temporary access. And how it works is, you know, sometimes imagine you have your deployments on Tuesday, and there is a team of engineers who needs to have access to the preprode environments for these specific hours on this specific day. So what you're able to do within Infisical is you're able to set up a schedule or as an admin, you can just kinda, like,

30:19 Temporary Access (Upcoming Feature)

30:42 issue this temporary access. And then on this specific time for a specific number of period of time, the these specific engineers will get access to this environment. And after the access expires, you can specify for secrets to be automatically rotated. So That's cool. Yeah. So this kinda, like, temporary access is is something that we see a lot of teams want, you know, from the smallest teams kinda like startups to very large corporations as well. So yeah. I can imagine a scenario where there's some sort of incident and data you know, developers who don't normally access production database,

31:26 whether it might be PII or whatever, can elevate their permissions. And then as soon as they're finished with that incident, it all gets rotated to behind the scenes, and then they lose their access. That's Yeah. Powerful. Powerful. Be because there are those kinda, like, high stakes situation where, you know, if if developers don't have access to that, then they kinda, like, can't do much. But Although, they'll ways around it, and then they'll break the entire process. Right? You have to find a way that is allows people to do their job, but in a way that does keep security first

31:56 and, you know, front and center. Right? And and I think that's really important. Yeah. Exactly. And and and this is one of those features around security shift left that I've been talking about because traditionally, what's happening is that, you know, in traditional secret managers, if if something like this happens, then the the engineer on the or, like, the team that's responsible for secret management, they somehow try to find a way to give particular secrets access to these specific engineers. But then what's happening is that they somehow get a hold of those secrets, then they store them potentially in unwanted places like Slack

32:35 or or Notes or whatever it is. And, you know, it it's much more better it's much, much better to store everything in Infisical and rotate them at the right schedule. Yeah. Yeah. Very cool feature. So I guess Yeah. You've mentioned that there's there's a few things that's coming up and you're working on that are going to be deployed soon. Maybe you could, like what what does soon mean for Infisical? Do you just release every month? Do you release every quarter? Is it every day? Like So yeah. Right. Let maybe I can stop sharing. Sorry. It's alright. Everybody's

32:53 Release Schedule

33:28 done that before. It's one of the most frustrating things about where that button is. So don't worry about it whatsoever. I accidentally decided to hang up. I'm done with this guy. I'm away. Yeah. At least the reconnect button was right there, so I was able to reconnect immediately when I realized what happened. But yeah. So so, actually, that's a that's a really interesting question because previously, we used to be on on a rolling release schedule. So we were, you know, basically releasing features, you know, after testing them out thoroughly as we go. Right now, we are actually moving more towards

34:09 kinda like a scheduled release schedule. Think it's going to be around monthly. Mhmm. And we're gonna have kinda like a particular day every month that we are releasing features. And, yeah, that that that's how it works. So for example, with with the feature around temporary access, I think we're gonna be releasing it for around two weeks or so. And yeah. So you you the you know, our team is actually moving very, very quickly. If you I don't know if you are keeping up with our development on GitHub and and so on, but you can see, you

34:43 know, like, how many commits and PRs we're merging. Yeah. Yeah. Is there are you talking about the demo? Do you want me to throw more questions there, or do wanna show a few more things? Yeah. I I mean, let's continue with the demo then. Let me yeah. Can you see it again? Yeah. It's back up. Yeah. Perfect. So, obviously, the most important part about Infisical is is, you know, how you actually access these secrets across your applications. So and within Infisical, we provide a lot of different ways. So first of all, we have the integrations,

35:13 Accessing Secrets: Cloud & Developer Tool Integrations

35:28 you know, with all the different clouds and and developer tools, or let's say not all of them, but but a large part of them and and certainly some of the most popular ones. And so an example for that could be Vercel or, you know, Heroku or actions or CircleCI or, you know, any anything else that you see on this dashboard, and, potentially, there is more in the documentation. But how it works is is, for example, let's take GitHub or Vercel as an example. You can integrate Infisical with your Infisical projects, and every time you update a secret in

36:07 Infisical, it will actually be propagated to these projects. So what happens is that you're able to create a central source of truth for your secrets and make sure that there's no discrepancies, like, for for your secrets across all the different platforms, whether it's GitHub or Vercel or Subabase or, you know, any other platforms that you might be using. And, yeah, and and and what we see a lot is we see, for example, a lot of teams with, you know, like, example, hundred different Heroku applications, and then they are able to centralize everything in Infisical and, you know, in a in a very

36:46 nice looking dashboards with all the different environments compared to each other. Yeah. Have you tried creating an integration yet? I'm not I'm not sure. I have. It's one of the main selling points for me of centralizing my secrets. You know, the fact that I could put everything into this product, and then I don't have to worry about copy and paste and and to get up actions or claim their workers and so forth. Just being able to pick that up and then it automatically does the same. It it it's such a nice feature, and it encourages me to have better security posture.

37:16 I'm not going for the back door of saying, well, I'm just gonna store this password on my desktop because I need to for the next day, I'm deploying in two weeks or whatever. Like, I I just have confidence now that if I put them here, they're in the right place and they get to the right place. And that's very cool. Yeah. No. Exactly. And and this becomes very handy kinda like the more services you're using and the more applications you have, the more of a problem it becomes. And especially, you know, like, if you start having a

37:44 larger team, then Infisical's integrations become very handy because you have a single source of truth and and everything stays secure. Yeah. I've also found that in some cases, well, the other way, like, instead of trying to sync things somewhere, like, the the JavaScript SDK is also so good that I'm finding in my applications. I'm actually just trying to fetch the secrets where they're needed well. And then all it means I only have to sync one thing to these different services and then the apps can fetch whatever they need beyond that. It does expose a little

38:17 bit of risk because my tokens probably have access to too much for the application that they need. But, you know, based on the access control stuff that you're talking about and things that are going to come, that will get tidied up into a course. So Yeah. And and you can also, for example, restrict the IP addresses and do a lot of different things around security in this sense. Yeah. I like the flexibility, and it just you know, you can tackle each of these problems in many different ways within Infisical. It's again, it comes down to

38:47 what works best for the team, what they're trying to do, and that's the approach they should be taking. Yeah. Yeah. Sure. And so so these are kinda like, you know, the integrations on the cloud and all the different platform type of things. Something that's also very helpful, and and, you know, it it's admittedly helpful for a different set of developers, but it's a lot of different infrastructure integrations. So starting from managing your secrets in Docker to Kubernetes to Terraform to Ansible or, you know, Jenkins pipelines, it it could really be anything, and it depends on how the the team.

39:34 Oh, sorry. I just realized that you're probably not able to see my screen No. Anymore. Right. But I switched to a different tab. Hold on. Let me maybe I'm not gonna hang up again. I'm just gonna stop sharing and change the tab. Yeah. Can you see it now? Yes. We see the Terraform. Yeah. Yeah. Yeah. Perfect. Yeah. No. What I what I was just gonna tell you, it's, for example, with Terraform, you're able to provision different secrets and other resources. And in physical, you can, for example, create a physical project and so on. So all of these automations

40:00 Accessing Secrets: Infrastructure Integrations

40:12 are possible. We have multiple ways to integrate with Kubernetes. But, ultimately, what they allow you to do is they allow you to kinda, like, stay up to date with all the latest secret versions. And as soon as you update a secret and you're in physical instance, it will actually be automatically propagated to your applications, and your applications will be redeployed. So you don't need to think about the deployment aspect yourself, and and this is probably, like, one of for teams that are using Kubernetes, I think this is one of the most loved features often physical.

40:47 Yes. Now one of the first things I install into my Kubernetes clusters is the is the operator. So Yeah. Yeah. Yeah. And, yeah, and and another kinda, like, tangential thing feature is Infisical Agent. And, basically, it works similar to a sidecar, which is render which is able to render your secrets according to a specific template. So you you, you know, you specify a template here, and whatever your application is, it's able to to get those secrets. And you don't need to change any code logic internally in your application. Oh, I hadn't seen that before, but that's

41:02 Infisical Agent (Sidecar Rendering)

41:28 pretty cool. Yeah. I guess because it's fairly new. It's probably, like, a couple months old. Yeah. But but I guess what I'm trying to say is that within Infisical and and ultimately for any secret management solution you're using, it will only be useful if it's able to integrate with, you know, like, ideally, all of your all of the tools, infrastructure, developer tools that you're using. But, you know, but at least, like, a very, very large majority of those. And which is why we take these integrations very seriously. And whatever the engineering teams out there could be using, you know, whether it's

42:08 Ansible or or diff all the different other infrastructure tools, TeamCity, GitHub Actions, GitLab, you know, and and Jenkins is a very, very popular one as well, then they should be able to do that within Infisical. And they they should be able to simplify secret management there. And while simplifying, they will also make it more secure because their developers will now be, you know, more much more likely to use a simple solution for secret management in this particular environment. Yeah. Definitely. Yeah. And, yeah, I mean, there is quite a lot of things that are other to Infisical.

42:52 So one of the maybe I can stop sharing at this point. You know, one one of the things that I how we view Infisical is it's a single platform for managing secrets. And what this could mean is also secret scanning functionalities. So if if you are or are not familiar with secret scanning, it's, you know, a set of tools that prevents your secrets from being leaked. And one of the very common examples for that is hard coding secrets into Git. So what we do within Infisical is using our CLI, we are able to prevent commits

43:08 Secret Scanning

43:34 that have hard coded secrets inside them. So we have an algorithm embedded there. It runs locally on your machine, and it's able to identify any hard coded secrets and kinda, like, warn you. It's like, hey. Be careful. You're about to commit this to Git, and then it's gonna be in your Git history, which is not a good security, you know, you know, which is not a good action to do from the security standpoint. Yeah. So is that algorithm detecting any secret string or secrets that you have in your Infisical It's anything. It's anything. So it's able to

44:12 pattern match. It's able to identify 50 different secret types, you know, from, you know, like, different AWS access tokens to API keys and SendGrid or whatever whatever it is. But, yes, it's able to it's kinda, like, able to pattern match and identify those secrets and prevent you from leaking those. So even if the secrets are not in Infisical yet, we will catch those. Okay. Yeah. And definitely one of the kinda, like, future directions as well for expansion for Infisical, you know, working on the in the secret man the secret scanning realm because that's something that a lot of engineers

44:52 like. You know, you have a single solution for that kinda, like, combines these functionalities together. Alright. Nice. Let's kinda change page a little bit to something we haven't really touched on yet. So we said at the start that this is all open source. There is a cloud product. People can go and sign up and just let you manage everything for them. But as they wanted to self host, that is an option. Like, what is involved there, and how does, you know, how does Infisical keep people from doing anything silly? What's the encryption technology under the

45:01 Open Source and Self-Hosting

45:25 hood? Is it using cloud KMS? Does it provide their own keys? Maybe you could shed a lit a bit more light on that. Yeah. Yeah. Yeah. Yeah. So so first of all, actually, the self hosting so we have we provide all the self hosting instructions within our documentation. And we so, admittedly, we used to have very, very thorough instructions because we very recently migrated from MongoDB to Postgres. And right now, we don't have everything kinda, like, on par with how it used to be for Mongo yet. But, you know, we are we are adding them over time.

45:58 And there are kinda, like, a number of different architectures that we do recommend people to self host depending on their use cases. You know, if, typically, if if if it's kinda like a solar project, that's one architecture that's being recommended. If it's, like, a huge bank, then it it's a different one. And we, for example, have, like, a Kubernetes deployment with Helm charts available and, you know, all the steps that people need to take to to deploy and and create this highly available environment. And, yes, and and and also, like, we provide different instructions for how to

46:34 actually secure your environment. So how it works is that, you know, for well, how to secure in your environment, but also how to secure the data within Infisical. And, yeah, you know, we kinda like as part of our security posture. The goal of Infisical is to secure the data within Infisical, but the kinda, like, the part of securing the environment often physical is mostly on the team who is self hosting it. So we we we can kinda, like, advise on that, but we can be responsible for that because it's ultimately the responsibility of the self hosting team.

46:39 Encryption and Security Posture

47:15 And yeah. But but, you know, the setup is very simple. We actually it's I guess it's a very interesting story because when we started out, there used to be kinda like so many different encryption keys and other things that people had to specify when they were self hosting and physical. And we actually narrowed it down and made it kinda like much, much, much simpler. So a lot of these things are being generated automatically now, and you just need to specify a single encryption key. And, yeah, that that's that's how it works. It's very, very simple.

47:50 Nice. I like simple. I like that you don't have to get six people in six different countries standing underneath a solar eclipse at the same time chanting some sort of magic phrase just to get it to build up. Very cool. Yeah. Alright. So Infisical is simple. It's not simple. It's open source. It can be simple to install. The complexity is there if you wanna go to the documentations. In fact, the sample works for you, and people can get started right away. You've already kinda covered on what is coming up with a few things, but is

48:20 Future Roadmap and Upcoming Features

48:22 there any larger or longer term initiatives that you're working on at Infisical that people should be excited about that you wanna go and share with them today? Yeah. Honestly, there's just so many things happening at the same time. So first of all, for the integrations that we are that I showed you, something that we will be releasing soon is bidirectional integrations. So, you you know, sometimes what happens is that even though Infisical is the main source of truth for Infisical, some engineer on the team decides to, for some reason, to update the secret in Heroku.

48:31 Future: Bidirectional Integrations

48:58 And then what happens is there there becomes discrepancy. So with bidirectional integrations, you'll actually be able to specify, you know, what's the behavior that you want to follow in case these discrepancies appear. And and there is a lot of other things that we'll be releasing for improving integrations. You you can kind of think of it as the integration v two stage, and, you know, they're they'll become much more customizable if if you want them to be customizable. But yeah. So that's another thing. The other thing that's going to be coming out, and and that's what we've been working

49:36 for, like, quite a long time now is different authentication methods for how you can authenticate Infisical both on the user and on the machine level. And, yeah, I mean I mean, there is lots and lots of stuff around it. You know, we already support, for example, on the user level, a lot of different authentication methods starting from, you know, very simple, like, email and password to SAML SSO to OIDC to LDAP to all all kinda like it's a lot of different things. But there is much more to be added and also a lot on the machine level.

49:39 Future: Enhanced Authentication Methods

50:19 For for example, Kubernetes authentication is something that we'll be adding and so on. Another functionality, and and this is gonna be kinda like another part, Infisical, and and maybe it would come a little later. But, ultimately, it's the secret sharing functionality. And how we view it is that, you know, even though you have in physical your secret management platform, sometimes you have these situations where you, as a developer, have to send something confidential to either another person on your team or maybe to your clients or whatever it is. And then you would be able to use

50:33 Future: Secret Sharing Functionality

50:59 Infisical to basically generate encrypted links or and and it's kinda like a secret sharing infrastructure for these sensitive credentials. Nice. Wow. Based on all of those things that you have coming up, I'm assuming nobody in your team has a minute to sleep because that is a lot of things that you're working on. Yeah. We we borderlines on sleep. Yeah. Alright. Well, I hope based on everything that people have seen and what they've heard is that they're excited and they're all gonna go check out in physical at the next available option. Any last words for people before we wrap

51:27 Conclusion and Call to Action

51:36 this up? No. Thanks so much for inviting me. It it was it was really, really fun talking to you and showing Infisical to everyone in your audience. And, yeah, hopefully, people are excited. Hopefully, they like what we're building. And, yeah, if you know, we also have a Slack channel. You can find it at Infisical.com//slack. And feel free to join. You know, if you have any questions, just let us know. We reply to those very quickly. And, yeah, we'd love to have you try Infisical. Yeah. And remember, it's open source to go to GitHub, get involved, and, you know, make

52:14 it physical a little bit better every day. Yeah. We have a huge contributor community. You know? We we yeah. The open source is is really at the heart of Infisical. And yeah. Alright. Well, thank you so much for taking time out of your morning to join me. I love Infisical, a product I use pretty much every day, and thank you for sharing that with everyone else. And until next time, we'll see you all soon. Thank you, Vlad. Thank you.