add docs for linux ha

chore(deps): bump body-parser and express in /frontend

.github/workflows/release-standalone-docker-img-postgres-offical.yml

@@ -1,62 +1,115 @@
 name: Release standalone docker image
 on:
-  push:
-    tags:
-      - "infisical/v*.*.*-postgres"
+    push:
+        tags:
+            - "infisical/v*.*.*-postgres"
 
 jobs:
-  infisical-tests:
-    name: Run tests before deployment
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-    uses: ./.github/workflows/run-backend-tests.yml
-  infisical-standalone:
-    name: Build infisical standalone image postgres
-    runs-on: ubuntu-latest
-    needs: [infisical-tests]
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: version output
-        run: |
-          echo "Output Value: ${{ steps.version.outputs.major }}"
-          echo "Output Value: ${{ steps.version.outputs.minor }}"
-          echo "Output Value: ${{ steps.version.outputs.patch }}"
-          echo "Output Value: ${{ steps.version.outputs.version }}"
-          echo "Output Value: ${{ steps.version.outputs.version_type }}"
-          echo "Output Value: ${{ steps.version.outputs.increment }}"
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          tags: |
-            infisical/infisical:latest-postgres
-            infisical/infisical:${{ steps.commit.outputs.short }}
-            infisical/infisical:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          file: Dockerfile.standalone-infisical
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+    infisical-tests:
+        name: Run tests before deployment
+        # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+        uses: ./.github/workflows/run-backend-tests.yml
+
+    infisical-standalone:
+        name: Build infisical standalone image postgres
+        runs-on: ubuntu-latest
+        needs: [infisical-tests]
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 📦 Install dependencies to test all dependencies
+              run: npm ci --only-production
+              working-directory: backend
+            - name: version output
+              run: |
+                  echo "Output Value: ${{ steps.version.outputs.major }}"
+                  echo "Output Value: ${{ steps.version.outputs.minor }}"
+                  echo "Output Value: ${{ steps.version.outputs.patch }}"
+                  echo "Output Value: ${{ steps.version.outputs.version }}"
+                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
+                  echo "Output Value: ${{ steps.version.outputs.increment }}"
+            - name: Save commit hashes for tag
+              id: commit
+              uses: pr-mpt/actions-commit-hash@v2
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: Set up Depot CLI
+              uses: depot/setup-action@v1
+            - name: 📦 Build backend and export to Docker
+              uses: depot/build-push-action@v1
+              with:
+                  project: 64mmf0n610
+                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+                  push: true
+                  context: .
+                  tags: |
+                      infisical/infisical:latest-postgres
+                      infisical/infisical:${{ steps.commit.outputs.short }}
+                      infisical/infisical:${{ steps.extract_version.outputs.version }}
+                  platforms: linux/amd64,linux/arm64
+                  file: Dockerfile.standalone-infisical
+                  build-args: |
+                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+
+    infisical-fips-standalone:
+        name: Build infisical standalone image postgres
+        runs-on: ubuntu-latest
+        needs: [infisical-tests]
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 📦 Install dependencies to test all dependencies
+              run: npm ci --only-production
+              working-directory: backend
+            - name: version output
+              run: |
+                  echo "Output Value: ${{ steps.version.outputs.major }}"
+                  echo "Output Value: ${{ steps.version.outputs.minor }}"
+                  echo "Output Value: ${{ steps.version.outputs.patch }}"
+                  echo "Output Value: ${{ steps.version.outputs.version }}"
+                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
+                  echo "Output Value: ${{ steps.version.outputs.increment }}"
+            - name: Save commit hashes for tag
+              id: commit
+              uses: pr-mpt/actions-commit-hash@v2
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: Set up Depot CLI
+              uses: depot/setup-action@v1
+            - name: 📦 Build backend and export to Docker
+              uses: depot/build-push-action@v1
+              with:
+                  project: 64mmf0n610
+                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+                  push: true
+                  context: .
+                  tags: |
+                      infisical/infisical-fips:latest-postgres
+                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
+                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
+                  platforms: linux/amd64,linux/arm64
+                  file: Dockerfile.fips.standalone-infisical
+                  build-args: |
+                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.infisicalignore

@@ -6,3 +6,4 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
+backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134

Dockerfile.fips.standalone-infisical

@@ -0,0 +1,167 @@
+ARG POSTHOG_HOST=https://app.posthog.com
+ARG POSTHOG_API_KEY=posthog-api-key
+ARG INTERCOM_ID=intercom-id
+ARG CAPTCHA_SITE_KEY=captcha-site-key
+
+FROM node:20-slim AS base
+
+FROM base AS frontend-dependencies
+WORKDIR /app
+
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+
+# Install dependencies
+RUN npm ci --only-production --ignore-scripts
+
+# Rebuild the source code only when needed
+FROM base AS frontend-builder
+WORKDIR /app
+
+# Copy dependencies
+COPY --from=frontend-dependencies /app/node_modules ./node_modules
+# Copy all files 
+COPY /frontend .
+
+ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
+ARG POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ARG INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+
+# Build
+RUN npm run build
+
+# Production image
+FROM base AS frontend-runner
+WORKDIR /app
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+
+USER non-root-user
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+##
+## BACKEND
+##
+FROM base AS backend-build
+
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+WORKDIR /app
+
+# Required for pkcs11js
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY /backend .
+COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
+RUN npm i -D tsconfig-paths
+RUN npm run build
+
+# Production stage
+FROM base AS backend-runner
+
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+WORKDIR /app
+
+# Required for pkcs11js
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY --from=backend-build /app .
+
+RUN mkdir frontend-build
+
+# Production stage
+FROM base AS production
+
+# Install necessary packages
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    curl \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+# Give non-root-user permission to update SSL certs
+RUN chown -R non-root-user /etc/ssl/certs
+RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
+RUN chmod -R u+rwx /etc/ssl/certs
+RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
+RUN chown non-root-user /usr/sbin/update-ca-certificates
+RUN chmod u+rx /usr/sbin/update-ca-certificates
+
+## set pre baked keys
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID=intercom-id
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+
+WORKDIR / 
+
+COPY --from=backend-runner /app /backend
+
+COPY --from=frontend-runner /app ./backend/frontend-build
+
+ENV PORT 8080
+ENV HOST=0.0.0.0
+ENV HTTPS_ENABLED false 
+ENV NODE_ENV production
+ENV STANDALONE_BUILD true 
+ENV STANDALONE_MODE true
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+WORKDIR /backend
+
+ENV TELEMETRY_ENABLED true
+
+EXPOSE 8080
+EXPOSE 443
+
+USER non-root-user
+
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -72,6 +72,9 @@ RUN addgroup --system --gid 1001 nodejs \
 
 WORKDIR /app
 
+# Required for pkcs11js
+RUN apk add --no-cache python3 make g++ 
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 
@@ -85,6 +88,9 @@ FROM base AS backend-runner
 
 WORKDIR /app
 
+# Required for pkcs11js
+RUN apk add --no-cache python3 make g++ 
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 

backend/Dockerfile

@@ -3,6 +3,12 @@ FROM node:20-alpine AS build
 
 WORKDIR /app
 
+# Required for pkcs11js
+RUN apk --update add \
+        python3 \
+        make \
+        g++
+
 COPY package*.json ./
 RUN npm ci --only-production
 
@@ -11,12 +17,17 @@ RUN npm run build
 
 # Production stage
 FROM node:20-alpine
-
 WORKDIR /app
 
 ENV npm_config_cache /home/node/.npm
 
 COPY package*.json ./
+
+RUN apk --update add \
+        python3 \
+        make \
+        g++
+
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .

backend/Dockerfile.dev

@@ -1,5 +1,44 @@
 FROM node:20-alpine
 
+# ? Setup a test SoftHSM module. In production a real HSM is used.
+
+ARG SOFTHSM2_VERSION=2.5.0
+
+ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
+    SOFTHSM2_SOURCES=/tmp/softhsm2
+
+# install build dependencies including python3
+RUN apk --update add \
+        alpine-sdk \
+        autoconf \
+        automake \
+        git \
+        libtool \
+        openssl-dev \
+        python3 \
+        make \
+        g++
+
+# build and install SoftHSM2
+RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
+WORKDIR ${SOFTHSM2_SOURCES}
+
+RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
+    && sh autogen.sh \
+    && ./configure --prefix=/usr/local --disable-gost \
+    && make \
+    && make install
+
+WORKDIR /root
+RUN rm -fr ${SOFTHSM2_SOURCES}
+
+# install pkcs11-tool
+RUN apk --update add opensc
+
+RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+
+# ? App setup
+
 RUN apk add --no-cache bash curl && curl -1sLf \
   'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
   && apk add infisical=0.8.1 && apk add --no-cache git

backend/e2e-test/vitest-environment-knex.ts

@@ -16,6 +16,7 @@ import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { Redis } from "ioredis";
+import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -54,7 +55,12 @@ export default {
       const smtp = mockSmtpServer();
       const queue = queueServiceFactory(cfg.REDIS_URL);
       const keyStore = keyStoreFactory(cfg.REDIS_URL);
-      const server = await main({ db, smtp, logger, queue, keyStore });
+
+      const hsmModule = initializeHsmModule();
+      hsmModule.initialize();
+
+      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule() });
+
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type

backend/package-lock.json

@@ -83,6 +83,7 @@
         "pg-query-stream": "^4.5.3",
         "picomatch": "^3.0.1",
         "pino": "^8.16.2",
+        "pkcs11js": "^2.1.6",
         "pkijs": "^3.2.4",
         "posthog-node": "^3.6.2",
         "probot": "^13.3.8",
@@ -120,6 +121,7 @@
         "@types/passport-google-oauth20": "^2.0.14",
         "@types/pg": "^8.10.9",
         "@types/picomatch": "^2.3.3",
+        "@types/pkcs11js": "^1.0.4",
         "@types/prompt-sync": "^4.2.3",
         "@types/resolve": "^1.20.6",
         "@types/safe-regex": "^1.1.6",
@@ -8830,6 +8832,17 @@
       "integrity": "sha512-Yll76ZHikRFCyz/pffKGjrCwe/le2CDwOP5F210KQo27kpRE46U2rDnzikNlVn6/ezH3Mhn46bJMTfeVTtcYMg==",
       "dev": true
     },
+    "node_modules/@types/pkcs11js": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@types/pkcs11js/-/pkcs11js-1.0.4.tgz",
+      "integrity": "sha512-Pkq8VbwZZv7o/6ODFOhxw0s0M8J4ucg4/I4V1dSCn8tUwWgIKIYzuV4Pp2fYuir81DgQXAF5TpGyhBMjJ3FjFw==",
+      "deprecated": "This is a stub types definition for pkcs11js (https://github.com/PeculiarVentures/pkcs11js). pkcs11js provides its own type definitions, so you don't need @types/pkcs11js installed!",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "pkcs11js": "*"
+      }
+    },
     "node_modules/@types/prompt-sync": {
       "version": "4.2.3",
       "resolved": "https://registry.npmjs.org/@types/prompt-sync/-/prompt-sync-4.2.3.tgz",
@@ -17066,6 +17079,20 @@
         "node": ">= 6"
       }
     },
+    "node_modules/pkcs11js": {
+      "version": "2.1.6",
+      "resolved": "https://registry.npmjs.org/pkcs11js/-/pkcs11js-2.1.6.tgz",
+      "integrity": "sha512-+t5jxzB749q8GaEd1yNx3l98xYuaVK6WW/Vjg1Mk1Iy5bMu/A5W4O/9wZGrpOknWF6lFQSb12FXX+eSNxdriwA==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/PeculiarVentures"
+      }
+    },
     "node_modules/pkg-conf": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/pkg-conf/-/pkg-conf-3.1.0.tgz",
@@ -19761,9 +19788,10 @@
       }
     },
     "node_modules/tslib": {
-      "version": "2.6.3",
-      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.3.tgz",
-      "integrity": "sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ=="
+      "version": "2.8.0",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.0.tgz",
+      "integrity": "sha512-jWVzBLplnCmoaTr13V9dYbiQ99wvZRd0vNWaDRg+aVYRcjDF3nDksxFDE/+fkXnKhpnUUkmx5pK/v8mCtLVqZA==",
+      "license": "0BSD"
     },
     "node_modules/tsup": {
       "version": "8.0.1",

backend/package.json

@@ -84,6 +84,7 @@
     "@types/passport-google-oauth20": "^2.0.14",
     "@types/pg": "^8.10.9",
     "@types/picomatch": "^2.3.3",
+    "@types/pkcs11js": "^1.0.4",
     "@types/prompt-sync": "^4.2.3",
     "@types/resolve": "^1.20.6",
     "@types/safe-regex": "^1.1.6",
@@ -188,6 +189,7 @@
     "pg-query-stream": "^4.5.3",
     "picomatch": "^3.0.1",
     "pino": "^8.16.2",
+    "pkcs11js": "^2.1.6",
     "pkijs": "^3.2.4",
     "posthog-node": "^3.6.2",
     "probot": "^13.3.8",

backend/src/@types/fastify.d.ts

@@ -44,6 +44,7 @@ import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
+import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
@@ -184,6 +185,7 @@ declare module "fastify" {
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
       externalKms: TExternalKmsServiceFactory;
+      hsm: THsmServiceFactory;
       orgAdmin: TOrgAdminServiceFactory;
       slack: TSlackServiceFactory;
       workflowIntegration: TWorkflowIntegrationServiceFactory;

backend/src/db/migrations/20241111175154_kms-root-cfg-hsm.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
+  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
+
+  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
+    if (!hasEncryptionStrategy) t.string("encryptionStrategy").defaultTo("SOFTWARE");
+    if (!hasTimestampsCol) t.timestamps(true, true, true);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
+  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
+
+  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
+    if (hasEncryptionStrategy) t.dropColumn("encryptionStrategy");
+    if (hasTimestampsCol) t.dropTimestamps(true);
+  });
+}

backend/src/db/schemas/kms-root-config.ts

@@ -11,7 +11,10 @@ import { TImmutableDBKeys } from "./models";
 
 export const KmsRootConfigSchema = z.object({
   id: z.string().uuid(),
-  encryptedRootKey: zodBuffer
+  encryptedRootKey: zodBuffer,
+  encryptionStrategy: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
 });
 
 export type TKmsRootConfig = z.infer<typeof KmsRootConfigSchema>;

backend/src/ee/services/hsm/hsm-fns.ts

@@ -0,0 +1,58 @@
+import * as pkcs11js from "pkcs11js";
+
+import { getConfig } from "@app/lib/config/env";
+import { logger } from "@app/lib/logger";
+
+import { HsmModule } from "./hsm-types";
+
+export const initializeHsmModule = () => {
+  const appCfg = getConfig();
+
+  // Create a new instance of PKCS11 module
+  const pkcs11 = new pkcs11js.PKCS11();
+  let isInitialized = false;
+
+  const initialize = () => {
+    if (!appCfg.isHsmConfigured) {
+      return;
+    }
+
+    try {
+      // Load the PKCS#11 module
+      pkcs11.load(appCfg.HSM_LIB_PATH!);
+
+      // Initialize the module
+      pkcs11.C_Initialize();
+      isInitialized = true;
+
+      logger.info("PKCS#11 module initialized");
+    } catch (err) {
+      logger.error("Failed to initialize PKCS#11 module:", err);
+      throw err;
+    }
+  };
+
+  const finalize = () => {
+    if (isInitialized) {
+      try {
+        pkcs11.C_Finalize();
+        isInitialized = false;
+        logger.info("PKCS#11 module finalized");
+      } catch (err) {
+        logger.error("Failed to finalize PKCS#11 module:", err);
+        throw err;
+      }
+    }
+  };
+
+  const getModule = (): HsmModule => ({
+    pkcs11,
+    isInitialized
+  });
+
+  return {
+    initialize,
+    finalize,
+    getModule
+  };
+};

backend/src/ee/services/hsm/hsm-service.ts

@@ -0,0 +1,470 @@
+import pkcs11js from "pkcs11js";
+
+import { getConfig } from "@app/lib/config/env";
+import { logger } from "@app/lib/logger";
+
+import { HsmKeyType, HsmModule } from "./hsm-types";
+
+type THsmServiceFactoryDep = {
+  hsmModule: HsmModule;
+};
+
+export type THsmServiceFactory = ReturnType<typeof hsmServiceFactory>;
+
+type SyncOrAsync<T> = T | Promise<T>;
+type SessionCallback<T> = (session: pkcs11js.Handle) => SyncOrAsync<T>;
+
+// eslint-disable-next-line no-empty-pattern
+export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsmServiceFactoryDep) => {
+  const appCfg = getConfig();
+
+  // Constants for buffer structures
+  const IV_LENGTH = 16; // Luna HSM typically expects 16-byte IV for cbc
+  const BLOCK_SIZE = 16;
+  const HMAC_SIZE = 32;
+
+  const AES_KEY_SIZE = 256;
+  const HMAC_KEY_SIZE = 256;
+
+  const $withSession = async <T>(callbackWithSession: SessionCallback<T>): Promise<T> => {
+    const RETRY_INTERVAL = 200; // 200ms between attempts
+    const MAX_TIMEOUT = 90_000; // 90 seconds maximum total time
+
+    let sessionHandle: pkcs11js.Handle | null = null;
+
+    const removeSession = () => {
+      if (sessionHandle !== null) {
+        try {
+          pkcs11.C_Logout(sessionHandle);
+          pkcs11.C_CloseSession(sessionHandle);
+          logger.info("HSM: Terminated session successfully");
+        } catch (error) {
+          logger.error(error, "HSM: Failed to terminate session");
+        } finally {
+          sessionHandle = null;
+        }
+      }
+    };
+
+    try {
+      if (!pkcs11 || !isInitialized) {
+        throw new Error("PKCS#11 module is not initialized");
+      }
+
+      // Get slot list
+      let slots: pkcs11js.Handle[];
+      try {
+        slots = pkcs11.C_GetSlotList(false); // false to get all slots
+      } catch (error) {
+        throw new Error(`Failed to get slot list: ${(error as Error)?.message}`);
+      }
+
+      if (slots.length === 0) {
+        throw new Error("No slots available");
+      }
+
+      if (appCfg.HSM_SLOT >= slots.length) {
+        throw new Error(`HSM slot ${appCfg.HSM_SLOT} not found or not initialized`);
+      }
+
+      const slotId = slots[appCfg.HSM_SLOT];
+
+      const startTime = Date.now();
+      while (Date.now() - startTime < MAX_TIMEOUT) {
+        try {
+          // Open session
+          // eslint-disable-next-line no-bitwise
+          sessionHandle = pkcs11.C_OpenSession(slotId, pkcs11js.CKF_SERIAL_SESSION | pkcs11js.CKF_RW_SESSION);
+
+          // Login
+          try {
+            pkcs11.C_Login(sessionHandle, pkcs11js.CKU_USER, appCfg.HSM_PIN);
+            logger.info("HSM: Successfully authenticated");
+            break;
+          } catch (error) {
+            // Handle specific error cases
+            if (error instanceof pkcs11js.Pkcs11Error) {
+              if (error.code === pkcs11js.CKR_PIN_INCORRECT) {
+                // We throw instantly here to prevent further attempts, because if too many attempts are made, the HSM will potentially wipe all key material
+                logger.error(error, `HSM: Incorrect PIN detected for HSM slot ${appCfg.HSM_SLOT}`);
+                throw new Error("HSM: Incorrect HSM Pin detected. Please check the HSM configuration.");
+              }
+              if (error.code === pkcs11js.CKR_USER_ALREADY_LOGGED_IN) {
+                logger.warn("HSM: Session already logged in");
+              }
+            }
+            throw error; // Re-throw other errors
+          }
+        } catch (error) {
+          logger.warn(`HSM: Session creation failed. Retrying... Error: ${(error as Error)?.message}`);
+
+          if (sessionHandle !== null) {
+            try {
+              pkcs11.C_CloseSession(sessionHandle);
+            } catch (closeError) {
+              logger.error(closeError, "HSM: Failed to close session");
+            }
+            sessionHandle = null;
+          }
+
+          // Wait before retrying
+          // eslint-disable-next-line no-await-in-loop
+          await new Promise((resolve) => {
+            setTimeout(resolve, RETRY_INTERVAL);
+          });
+        }
+      }
+
+      if (sessionHandle === null) {
+        throw new Error("HSM: Failed to open session after maximum retries");
+      }
+
+      // Execute callback with session handle
+      const result = await callbackWithSession(sessionHandle);
+      removeSession();
+      return result;
+    } catch (error) {
+      logger.error(error, "HSM: Failed to open session");
+      throw error;
+    } finally {
+      // Ensure cleanup
+      removeSession();
+    }
+  };
+
+  const $findKey = (sessionHandle: pkcs11js.Handle, type: HsmKeyType) => {
+    const label = type === HsmKeyType.HMAC ? `${appCfg.HSM_KEY_LABEL}_HMAC` : appCfg.HSM_KEY_LABEL;
+    const keyType = type === HsmKeyType.HMAC ? pkcs11js.CKK_GENERIC_SECRET : pkcs11js.CKK_AES;
+
+    const template = [
+      { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
+      { type: pkcs11js.CKA_KEY_TYPE, value: keyType },
+      { type: pkcs11js.CKA_LABEL, value: label }
+    ];
+
+    try {
+      // Initialize search
+      pkcs11.C_FindObjectsInit(sessionHandle, template);
+
+      try {
+        // Find first matching object
+        const handles = pkcs11.C_FindObjects(sessionHandle, 1);
+
+        if (handles.length === 0) {
+          throw new Error("Failed to find master key");
+        }
+
+        return handles[0]; // Return the key handle
+      } finally {
+        // Always finalize the search operation
+        pkcs11.C_FindObjectsFinal(sessionHandle);
+      }
+    } catch (error) {
+      return null;
+    }
+  };
+
+  const $keyExists = (session: pkcs11js.Handle, type: HsmKeyType): boolean => {
+    try {
+      const key = $findKey(session, type);
+      // items(0) will throw an error if no items are found
+      // Return true only if we got a valid object with handle
+      return !!key && key.length > 0;
+    } catch (error) {
+      // If items(0) throws, it means no key was found
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-call
+      logger.error(error, "HSM: Failed while checking for HSM key presence");
+
+      if (error instanceof pkcs11js.Pkcs11Error) {
+        if (error.code === pkcs11js.CKR_OBJECT_HANDLE_INVALID) {
+          return false;
+        }
+      }
+
+      return false;
+    }
+  };
+
+  const encrypt: {
+    (data: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
+    (data: Buffer): Promise<Buffer>;
+  } = async (data: Buffer, providedSession?: pkcs11js.Handle) => {
+    if (!pkcs11 || !isInitialized) {
+      throw new Error("PKCS#11 module is not initialized");
+    }
+
+    const $performEncryption = (sessionHandle: pkcs11js.Handle) => {
+      try {
+        const aesKey = $findKey(sessionHandle, HsmKeyType.AES);
+        if (!aesKey) {
+          throw new Error("HSM: Encryption failed, AES key not found");
+        }
+
+        const hmacKey = $findKey(sessionHandle, HsmKeyType.HMAC);
+        if (!hmacKey) {
+          throw new Error("HSM: Encryption failed, HMAC key not found");
+        }
+
+        const iv = Buffer.alloc(IV_LENGTH);
+        pkcs11.C_GenerateRandom(sessionHandle, iv);
+
+        const encryptMechanism = {
+          mechanism: pkcs11js.CKM_AES_CBC_PAD,
+          parameter: iv
+        };
+
+        pkcs11.C_EncryptInit(sessionHandle, encryptMechanism, aesKey);
+
+        // Calculate max buffer size (input length + potential full block of padding)
+        const maxEncryptedLength = Math.ceil(data.length / BLOCK_SIZE) * BLOCK_SIZE + BLOCK_SIZE;
+
+        // Encrypt the data - this returns the encrypted data directly
+        const encryptedData = pkcs11.C_Encrypt(sessionHandle, data, Buffer.alloc(maxEncryptedLength));
+
+        // Initialize HMAC
+        const hmacMechanism = {
+          mechanism: pkcs11js.CKM_SHA256_HMAC
+        };
+
+        pkcs11.C_SignInit(sessionHandle, hmacMechanism, hmacKey);
+
+        // Sign the IV and encrypted data
+        pkcs11.C_SignUpdate(sessionHandle, iv);
+        pkcs11.C_SignUpdate(sessionHandle, encryptedData);
+
+        // Get the HMAC
+        const hmac = Buffer.alloc(HMAC_SIZE);
+        pkcs11.C_SignFinal(sessionHandle, hmac);
+
+        // Combine encrypted data and HMAC [Encrypted Data | HMAC]
+        const finalBuffer = Buffer.alloc(encryptedData.length + hmac.length);
+        encryptedData.copy(finalBuffer);
+        hmac.copy(finalBuffer, encryptedData.length);
+
+        return Buffer.concat([iv, finalBuffer]);
+      } catch (error) {
+        logger.error(error, "HSM: Failed to perform encryption");
+        throw new Error(`HSM: Encryption failed: ${(error as Error)?.message}`);
+      }
+    };
+
+    if (providedSession) {
+      return $performEncryption(providedSession);
+    }
+
+    const result = await $withSession($performEncryption);
+    return result;
+  };
+
+  const decrypt: {
+    (encryptedBlob: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
+    (encryptedBlob: Buffer): Promise<Buffer>;
+  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle) => {
+    if (!pkcs11 || !isInitialized) {
+      throw new Error("PKCS#11 module is not initialized");
+    }
+
+    const $performDecryption = (sessionHandle: pkcs11js.Handle) => {
+      try {
+        // structure is: [IV (16 bytes) | Encrypted Data (N bytes) | HMAC (32 bytes)]
+        const iv = encryptedBlob.subarray(0, IV_LENGTH);
+        const encryptedDataWithHmac = encryptedBlob.subarray(IV_LENGTH);
+
+        // Split encrypted data and HMAC
+        const hmac = encryptedDataWithHmac.subarray(-HMAC_SIZE); // Last 32 bytes are HMAC
+
+        const encryptedData = encryptedDataWithHmac.subarray(0, -HMAC_SIZE); // Everything except last 32 bytes
+
+        // Find the keys
+        const aesKey = $findKey(sessionHandle, HsmKeyType.AES);
+        if (!aesKey) {
+          throw new Error("HSM: Decryption failed, AES key not found");
+        }
+
+        const hmacKey = $findKey(sessionHandle, HsmKeyType.HMAC);
+        if (!hmacKey) {
+          throw new Error("HSM: Decryption failed, HMAC key not found");
+        }
+
+        // Verify HMAC first
+        const hmacMechanism = {
+          mechanism: pkcs11js.CKM_SHA256_HMAC
+        };
+
+        pkcs11.C_VerifyInit(sessionHandle, hmacMechanism, hmacKey);
+        pkcs11.C_VerifyUpdate(sessionHandle, iv);
+        pkcs11.C_VerifyUpdate(sessionHandle, encryptedData);
+
+        try {
+          pkcs11.C_VerifyFinal(sessionHandle, hmac);
+        } catch (error) {
+          logger.error(error, "HSM: HMAC verification failed");
+          throw new Error("HSM: Decryption failed"); // Generic error for failed verification
+        }
+
+        // Only decrypt if verification passed
+        const decryptMechanism = {
+          mechanism: pkcs11js.CKM_AES_CBC_PAD,
+          parameter: iv
+        };
+
+        pkcs11.C_DecryptInit(sessionHandle, decryptMechanism, aesKey);
+
+        const tempBuffer = Buffer.alloc(encryptedData.length);
+        const decryptedData = pkcs11.C_Decrypt(sessionHandle, encryptedData, tempBuffer);
+
+        // Create a new buffer from the decrypted data
+        return Buffer.from(decryptedData);
+      } catch (error) {
+        logger.error(error, "HSM: Failed to perform decryption");
+        throw new Error("HSM: Decryption failed"); // Generic error for failed decryption, to avoid leaking details about why it failed (such as padding related errors)
+      }
+    };
+
+    if (providedSession) {
+      return $performDecryption(providedSession);
+    }
+
+    const result = await $withSession($performDecryption);
+    return result;
+  };
+
+  // We test the core functionality of the PKCS#11 module that we are using throughout Infisical. This is to ensure that the user doesn't configure a faulty or unsupported HSM device.
+  const $testPkcs11Module = async (session: pkcs11js.Handle) => {
+    try {
+      if (!pkcs11 || !isInitialized) {
+        throw new Error("PKCS#11 module is not initialized");
+      }
+
+      if (!session) {
+        throw new Error("HSM: Attempted to run test without a valid session");
+      }
+
+      const randomData = pkcs11.C_GenerateRandom(session, Buffer.alloc(500));
+
+      const encryptedData = await encrypt(randomData, session);
+      const decryptedData = await decrypt(encryptedData, session);
+
+      const randomDataHex = randomData.toString("hex");
+      const decryptedDataHex = decryptedData.toString("hex");
+
+      if (randomDataHex !== decryptedDataHex && Buffer.compare(randomData, decryptedData)) {
+        throw new Error("HSM: Startup test failed. Decrypted data does not match original data");
+      }
+
+      return true;
+    } catch (error) {
+      logger.error(error, "HSM: Error testing PKCS#11 module");
+      return false;
+    }
+  };
+
+  const isActive = async () => {
+    if (!isInitialized || !appCfg.isHsmConfigured) {
+      return false;
+    }
+
+    let pkcs11TestPassed = false;
+
+    try {
+      pkcs11TestPassed = await $withSession($testPkcs11Module);
+    } catch (err) {
+      logger.error(err, "HSM: Error testing PKCS#11 module");
+    }
+
+    return appCfg.isHsmConfigured && isInitialized && pkcs11TestPassed;
+  };
+
+  const startService = async () => {
+    if (!appCfg.isHsmConfigured || !pkcs11 || !isInitialized) return;
+
+    try {
+      await $withSession(async (sessionHandle) => {
+        // Check if master key exists, create if not
+
+        const genericAttributes = [
+          { type: pkcs11js.CKA_TOKEN, value: true }, // Persistent storage
+          { type: pkcs11js.CKA_EXTRACTABLE, value: false }, // Cannot be extracted
+          { type: pkcs11js.CKA_SENSITIVE, value: true }, // Sensitive value
+          { type: pkcs11js.CKA_PRIVATE, value: true } // Requires authentication
+        ];
+
+        if (!$keyExists(sessionHandle, HsmKeyType.AES)) {
+          // Template for generating 256-bit AES master key
+          const keyTemplate = [
+            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
+            { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_AES },
+            { type: pkcs11js.CKA_VALUE_LEN, value: AES_KEY_SIZE / 8 },
+            { type: pkcs11js.CKA_LABEL, value: appCfg.HSM_KEY_LABEL! },
+            { type: pkcs11js.CKA_ENCRYPT, value: true }, // Allow encryption
+            { type: pkcs11js.CKA_DECRYPT, value: true }, // Allow decryption
+            ...genericAttributes
+          ];
+
+          // Generate the key
+          pkcs11.C_GenerateKey(
+            sessionHandle,
+            {
+              mechanism: pkcs11js.CKM_AES_KEY_GEN
+            },
+            keyTemplate
+          );
+
+          logger.info(`HSM: Master key created successfully with label: ${appCfg.HSM_KEY_LABEL}`);
+        }
+
+        // Check if HMAC key exists, create if not
+        if (!$keyExists(sessionHandle, HsmKeyType.HMAC)) {
+          const hmacKeyTemplate = [
+            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
+            { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_GENERIC_SECRET },
+            { type: pkcs11js.CKA_VALUE_LEN, value: HMAC_KEY_SIZE / 8 }, // 256-bit key
+            { type: pkcs11js.CKA_LABEL, value: `${appCfg.HSM_KEY_LABEL!}_HMAC` },
+            { type: pkcs11js.CKA_SIGN, value: true }, // Allow signing
+            { type: pkcs11js.CKA_VERIFY, value: true }, // Allow verification
+            ...genericAttributes
+          ];
+
+          // Generate the HMAC key
+          pkcs11.C_GenerateKey(
+            sessionHandle,
+            {
+              mechanism: pkcs11js.CKM_GENERIC_SECRET_KEY_GEN
+            },
+            hmacKeyTemplate
+          );
+
+          logger.info(`HSM: HMAC key created successfully with label: ${appCfg.HSM_KEY_LABEL}_HMAC`);
+        }
+
+        // Get slot info to check supported mechanisms
+        const slotId = pkcs11.C_GetSessionInfo(sessionHandle).slotID;
+        const mechanisms = pkcs11.C_GetMechanismList(slotId);
+
+        // Check for AES CBC PAD support
+        const hasAesCbc = mechanisms.includes(pkcs11js.CKM_AES_CBC_PAD);
+
+        if (!hasAesCbc) {
+          throw new Error(`Required mechanism CKM_AEC_CBC_PAD not supported by HSM`);
+        }
+
+        // Run test encryption/decryption
+        const testPassed = await $testPkcs11Module(sessionHandle);
+
+        if (!testPassed) {
+          throw new Error("PKCS#11 module test failed. Please ensure that the HSM is correctly configured.");
+        }
+      });
+    } catch (error) {
+      logger.error(error, "HSM: Error initializing HSM service:");
+      throw error;
+    }
+  };
+
+  return {
+    encrypt,
+    startService,
+    isActive,
+    decrypt
+  };
+};

backend/src/ee/services/hsm/hsm-types.ts

@@ -0,0 +1,11 @@
+import pkcs11js from "pkcs11js";
+
+export type HsmModule = {
+  pkcs11: pkcs11js.PKCS11;
+  isInitialized: boolean;
+};
+
+export enum HsmKeyType {
+  AES = "AES",
+  HMAC = "hmac"
+}

backend/src/ee/services/license/license-fns.ts

@@ -29,6 +29,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   auditLogStreams: false,
   auditLogStreamLimit: 3,
   samlSSO: false,
+  hsm: false,
   oidcSSO: false,
   scim: false,
   ldap: false,

backend/src/ee/services/license/license-types.ts

@@ -46,6 +46,7 @@ export type TFeatureSet = {
   auditLogStreams: false;
   auditLogStreamLimit: 3;
   samlSSO: false;
+  hsm: false;
   oidcSSO: false;
   scim: false;
   ldap: false;

backend/src/lib/config/env.ts

@@ -163,10 +163,22 @@ const envSchema = z
     SSL_CLIENT_CERTIFICATE_HEADER_KEY: zpStr(z.string().optional()).default("x-ssl-client-cert"),
     WORKFLOW_SLACK_CLIENT_ID: zpStr(z.string().optional()),
     WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional()),
-    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true")
+    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true"),
+
+    // HSM
+    HSM_LIB_PATH: zpStr(z.string().optional()),
+    HSM_PIN: zpStr(z.string().optional()),
+    HSM_KEY_LABEL: zpStr(z.string().optional()),
+    HSM_SLOT: z.coerce.number().optional().default(0)
   })
+  // To ensure that basic encryption is always possible.
+  .refine(
+    (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
+    "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
+  )
   .transform((data) => ({
     ...data,
+
     DB_READ_REPLICAS: data.DB_READ_REPLICAS
       ? databaseReadReplicaSchema.parse(JSON.parse(data.DB_READ_REPLICAS))
       : undefined,
@@ -175,10 +187,14 @@ const envSchema = z
     isRedisConfigured: Boolean(data.REDIS_URL),
     isDevelopmentMode: data.NODE_ENV === "development",
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
+
     isSecretScanningConfigured:
       Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
       Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
       Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
+    isHsmConfigured:
+      Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
+
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
     SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));

backend/src/main.ts

@@ -1,6 +1,8 @@
 import dotenv from "dotenv";
 import path from "path";
 
+import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+
 import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
 import { formatSmtpConfig, initEnvConfig, IS_PACKAGED } from "./lib/config/env";
@@ -53,13 +55,17 @@ const run = async () => {
   const queue = queueServiceFactory(appCfg.REDIS_URL);
   const keyStore = keyStoreFactory(appCfg.REDIS_URL);
 
-  const server = await main({ db, auditLogDb, smtp, logger, queue, keyStore });
+  const hsmModule = initializeHsmModule();
+  hsmModule.initialize();
+
+  const server = await main({ db, auditLogDb, hsmModule: hsmModule.getModule(), smtp, logger, queue, keyStore });
   const bootstrap = await bootstrapCheck({ db });
 
   // eslint-disable-next-line
   process.on("SIGINT", async () => {
     await server.close();
     await db.destroy();
+    hsmModule.finalize();
     process.exit(0);
   });
 
@@ -67,6 +73,7 @@ const run = async () => {
   process.on("SIGTERM", async () => {
     await server.close();
     await db.destroy();
+    hsmModule.finalize();
     process.exit(0);
   });
 

backend/src/server/app.ts

@@ -14,6 +14,7 @@ import fastify from "fastify";
 import { Knex } from "knex";
 import { Logger } from "pino";
 
+import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
@@ -36,16 +37,19 @@ type TMain = {
   logger?: Logger;
   queue: TQueueServiceFactory;
   keyStore: TKeyStoreFactory;
+  hsmModule: HsmModule;
 };
 
 // Run the server!
-export const main = async ({ db, auditLogDb, smtp, logger, queue, keyStore }: TMain) => {
+export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, keyStore }: TMain) => {
   const appCfg = getConfig();
+
   const server = fastify({
     logger: appCfg.NODE_ENV === "test" ? false : logger,
     trustProxy: true,
-    connectionTimeout: 30 * 1000,
-    ignoreTrailingSlash: true
+    connectionTimeout: appCfg.isHsmConfigured ? 90_000 : 30_000,
+    ignoreTrailingSlash: true,
+    pluginTimeout: 40_000
   }).withTypeProvider<ZodTypeProvider>();
 
   server.setValidatorCompiler(validatorCompiler);
@@ -95,7 +99,7 @@ export const main = async ({ db, auditLogDb, smtp, logger, queue, keyStore }: TM
 
     await server.register(maintenanceMode);
 
-    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore });
+    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });
 
     if (appCfg.isProductionMode) {
       await server.register(registerExternalNextjs, {

backend/src/server/routes/index.ts

@@ -1,5 +1,4 @@
 import { CronJob } from "cron";
-// import { Redis } from "ioredis";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -31,6 +30,8 @@ import { externalKmsServiceFactory } from "@app/ee/services/external-kms/externa
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
 import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
+import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
+import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
@@ -223,10 +224,18 @@ export const registerRoutes = async (
   {
     auditLogDb,
     db,
+    hsmModule,
     smtp: smtpService,
     queue: queueService,
     keyStore
-  }: { auditLogDb?: Knex; db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
+  }: {
+    auditLogDb?: Knex;
+    db: Knex;
+    hsmModule: HsmModule;
+    smtp: TSmtpService;
+    queue: TQueueServiceFactory;
+    keyStore: TKeyStoreFactory;
+  }
 ) => {
   const appCfg = getConfig();
   await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
@@ -352,14 +361,21 @@ export const registerRoutes = async (
     projectDAL
   });
   const licenseService = licenseServiceFactory({ permissionService, orgDAL, licenseDAL, keyStore });
+
+  const hsmService = hsmServiceFactory({
+    hsmModule
+  });
+
   const kmsService = kmsServiceFactory({
     kmsRootConfigDAL,
     keyStore,
     kmsDAL,
     internalKmsDAL,
     orgDAL,
-    projectDAL
+    projectDAL,
+    hsmService
   });
+
   const externalKmsService = externalKmsServiceFactory({
     kmsDAL,
     kmsService,
@@ -556,6 +572,7 @@ export const registerRoutes = async (
     userDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
+    kmsRootConfigDAL,
     orgService,
     keyStore,
     licenseService,
@@ -1261,10 +1278,13 @@ export const registerRoutes = async (
   });
 
   await superAdminService.initServerCfg();
-  //
+
   // setup the communication with license key server
   await licenseService.init();
 
+  // Start HSM service if it's configured/enabled.
+  await hsmService.startService();
+
   await telemetryQueue.startTelemetryCheck();
   await dailyResourceCleanUp.startCleanUp();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
@@ -1342,6 +1362,7 @@ export const registerRoutes = async (
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
     externalKms: externalKmsService,
+    hsm: hsmService,
     cmek: cmekService,
     orgAdmin: orgAdminService,
     slack: slackService,

backend/src/server/routes/v1/admin-router.ts

@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { LoginMethod } from "@app/services/super-admin/super-admin-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -195,6 +196,57 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/encryption-strategies",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          strategies: z
+            .object({
+              strategy: z.nativeEnum(RootKeyEncryptionStrategy),
+              enabled: z.boolean()
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+
+    handler: async () => {
+      const encryptionDetails = await server.services.superAdmin.getConfiguredEncryptionStrategies();
+      return encryptionDetails;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/encryption-strategies",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        strategy: z.nativeEnum(RootKeyEncryptionStrategy)
+      })
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      await server.services.superAdmin.updateRootEncryptionStrategy(req.body.strategy);
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/signup",

backend/src/services/kms/kms-fns.ts

@@ -1,5 +1,7 @@
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 
+export const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
+
 export const getByteLengthForAlgorithm = (encryptionAlgorithm: SymmetricEncryption) => {
   switch (encryptionAlgorithm) {
     case SymmetricEncryption.AES_GCM_128:

backend/src/services/kms/kms-service.ts

@@ -2,13 +2,14 @@ import slugify from "@sindresorhus/slugify";
 import { Knex } from "knex";
 import { z } from "zod";
 
-import { KmsKeysSchema } from "@app/db/schemas";
+import { KmsKeysSchema, TKmsRootConfig } from "@app/db/schemas";
 import { AwsKmsProviderFactory } from "@app/ee/services/external-kms/providers/aws-kms";
 import {
   ExternalKmsAwsSchema,
   KmsProviders,
   TExternalKmsProviderFns
 } from "@app/ee/services/external-kms/providers/model";
+import { THsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { randomSecureBytes } from "@app/lib/crypto";
@@ -17,7 +18,7 @@ import { generateHash } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { getByteLengthForAlgorithm } from "@app/services/kms/kms-fns";
+import { getByteLengthForAlgorithm, KMS_ROOT_CONFIG_UUID } from "@app/services/kms/kms-fns";
 
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
@@ -27,6 +28,7 @@ import { TKmsRootConfigDALFactory } from "./kms-root-config-dal";
 import {
   KmsDataKey,
   KmsType,
+  RootKeyEncryptionStrategy,
   TDecryptWithKeyDTO,
   TDecryptWithKmsDTO,
   TEncryptionWithKeyDTO,
@@ -40,15 +42,14 @@ type TKmsServiceFactoryDep = {
   kmsDAL: TKmsKeyDALFactory;
   projectDAL: Pick<TProjectDALFactory, "findById" | "updateById" | "transaction">;
   orgDAL: Pick<TOrgDALFactory, "findById" | "updateById" | "transaction">;
-  kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create">;
+  kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create" | "updateById">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "waitTillReady" | "setItemWithExpiry">;
   internalKmsDAL: Pick<TInternalKmsDALFactory, "create">;
+  hsmService: THsmServiceFactory;
 };
 
 export type TKmsServiceFactory = ReturnType<typeof kmsServiceFactory>;
 
-const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
-
 const KMS_ROOT_CREATION_WAIT_KEY = "wait_till_ready_kms_root_key";
 const KMS_ROOT_CREATION_WAIT_TIME = 10;
 
@@ -63,7 +64,8 @@ export const kmsServiceFactory = ({
   keyStore,
   internalKmsDAL,
   orgDAL,
-  projectDAL
+  projectDAL,
+  hsmService
 }: TKmsServiceFactoryDep) => {
   let ROOT_ENCRYPTION_KEY = Buffer.alloc(0);
 
@@ -610,6 +612,65 @@ export const kmsServiceFactory = ({
     }
   };
 
+  const $getBasicEncryptionKey = () => {
+    const appCfg = getConfig();
+
+    const encryptionKey = appCfg.ENCRYPTION_KEY || appCfg.ROOT_ENCRYPTION_KEY;
+    const isBase64 = !appCfg.ENCRYPTION_KEY;
+    if (!encryptionKey)
+      throw new Error(
+        "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?"
+      );
+
+    const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
+
+    return encryptionKeyBuffer;
+  };
+
+  const $decryptRootKey = async (kmsRootConfig: TKmsRootConfig) => {
+    // case 1: root key is encrypted with HSM
+    if (kmsRootConfig.encryptionStrategy === RootKeyEncryptionStrategy.HSM) {
+      const hsmIsActive = await hsmService.isActive();
+      if (!hsmIsActive) {
+        throw new Error("Unable to decrypt root KMS key. HSM service is inactive. Did you configure the HSM?");
+      }
+
+      const decryptedKey = await hsmService.decrypt(kmsRootConfig.encryptedRootKey);
+      return decryptedKey;
+    }
+
+    // case 2: root key is encrypted with software encryption
+    if (kmsRootConfig.encryptionStrategy === RootKeyEncryptionStrategy.Software) {
+      const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+      const encryptionKeyBuffer = $getBasicEncryptionKey();
+
+      return cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
+    }
+
+    throw new Error(`Invalid root key encryption strategy: ${kmsRootConfig.encryptionStrategy}`);
+  };
+
+  const $encryptRootKey = async (plainKeyBuffer: Buffer, strategy: RootKeyEncryptionStrategy) => {
+    if (strategy === RootKeyEncryptionStrategy.HSM) {
+      const hsmIsActive = await hsmService.isActive();
+      if (!hsmIsActive) {
+        throw new Error("Unable to encrypt root KMS key. HSM service is inactive. Did you configure the HSM?");
+      }
+      const encrypted = await hsmService.encrypt(plainKeyBuffer);
+      return encrypted;
+    }
+
+    if (strategy === RootKeyEncryptionStrategy.Software) {
+      const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+      const encryptionKeyBuffer = $getBasicEncryptionKey();
+
+      return cipher.encrypt(plainKeyBuffer, encryptionKeyBuffer);
+    }
+
+    // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+    throw new Error(`Invalid root key encryption strategy: ${strategy}`);
+  };
+
   // by keeping the decrypted data key in inner scope
   // none of the entities outside can interact directly or expose the data key
   // NOTICE: If changing here update migrations/utils/kms
@@ -771,7 +832,6 @@ export const kmsServiceFactory = ({
         },
         tx
       );
-
       return kmsDAL.findByIdWithAssociatedKms(key.id, tx);
     });
 
@@ -794,14 +854,6 @@ export const kmsServiceFactory = ({
 
   // akhilmhdh: a copy of this is made in migrations/utils/kms
   const startService = async () => {
-    const appCfg = getConfig();
-    // This will switch to a seal process and HMS flow in future
-    const encryptionKey = appCfg.ENCRYPTION_KEY || appCfg.ROOT_ENCRYPTION_KEY;
-    // if root key its base64 encoded
-    const isBase64 = !appCfg.ENCRYPTION_KEY;
-    if (!encryptionKey) throw new Error("Root encryption key not found for KMS service.");
-    const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
-
     const lock = await keyStore.acquireLock([`KMS_ROOT_CFG_LOCK`], 3000, { retryCount: 3 }).catch(() => null);
     if (!lock) {
       await keyStore.waitTillReady({
@@ -813,31 +865,69 @@ export const kmsServiceFactory = ({
 
     // check if KMS root key was already generated and saved in DB
     const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
-    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+
+    // case 1: a root key already exists in the DB
     if (kmsRootConfig) {
       if (lock) await lock.release();
-      logger.info("KMS: Encrypted ROOT Key found from DB. Decrypting.");
-      const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
-      // set the flag so that other instancen nodes can start
+      logger.info(`KMS: Encrypted ROOT Key found from DB. Decrypting. [strategy=${kmsRootConfig.encryptionStrategy}]`);
+
+      const decryptedRootKey = await $decryptRootKey(kmsRootConfig);
+
+      // set the flag so that other instance nodes can start
       await keyStore.setItemWithExpiry(KMS_ROOT_CREATION_WAIT_KEY, KMS_ROOT_CREATION_WAIT_TIME, "true");
       logger.info("KMS: Loading ROOT Key into Memory.");
       ROOT_ENCRYPTION_KEY = decryptedRootKey;
       return;
     }
 
-    logger.info("KMS: Generating ROOT Key");
+    // case 2: no config is found, so we create a new root key with basic encryption
+    logger.info("KMS: Generating new ROOT Key");
     const newRootKey = randomSecureBytes(32);
-    const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
-    // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
-    await kmsRootConfigDAL.create({ encryptedRootKey, id: KMS_ROOT_CONFIG_UUID });
+    const encryptedRootKey = await $encryptRootKey(newRootKey, RootKeyEncryptionStrategy.Software).catch((err) => {
+      logger.error({ hsmEnabled: hsmService.isActive() }, "KMS: Failed to encrypt ROOT Key");
+      throw err;
+    });
 
-    // set the flag so that other instancen nodes can start
+    await kmsRootConfigDAL.create({
+      // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
+      id: KMS_ROOT_CONFIG_UUID,
+      encryptedRootKey,
+      encryptionStrategy: RootKeyEncryptionStrategy.Software
+    });
+
+    // set the flag so that other instance nodes can start
     await keyStore.setItemWithExpiry(KMS_ROOT_CREATION_WAIT_KEY, KMS_ROOT_CREATION_WAIT_TIME, "true");
     logger.info("KMS: Saved and loaded ROOT Key into memory");
     if (lock) await lock.release();
     ROOT_ENCRYPTION_KEY = newRootKey;
   };
 
+  const updateEncryptionStrategy = async (strategy: RootKeyEncryptionStrategy) => {
+    const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
+    if (!kmsRootConfig) {
+      throw new NotFoundError({ message: "KMS root config not found" });
+    }
+
+    if (kmsRootConfig.encryptionStrategy === strategy) {
+      return;
+    }
+
+    const decryptedRootKey = await $decryptRootKey(kmsRootConfig);
+    const encryptedRootKey = await $encryptRootKey(decryptedRootKey, strategy);
+
+    if (!encryptedRootKey) {
+      logger.error("KMS: Failed to re-encrypt ROOT Key with selected strategy");
+      throw new Error("Failed to re-encrypt ROOT Key with selected strategy");
+    }
+
+    await kmsRootConfigDAL.updateById(KMS_ROOT_CONFIG_UUID, {
+      encryptedRootKey,
+      encryptionStrategy: strategy
+    });
+
+    ROOT_ENCRYPTION_KEY = decryptedRootKey;
+  };
+
   return {
     startService,
     generateKmsKey,
@@ -849,6 +939,7 @@ export const kmsServiceFactory = ({
     encryptWithRootKey,
     decryptWithRootKey,
     getOrgKmsKeyId,
+    updateEncryptionStrategy,
     getProjectSecretManagerKmsKeyId,
     updateProjectSecretManagerKmsKey,
     getProjectKeyBackup,

backend/src/services/kms/kms-types.ts

@@ -56,3 +56,8 @@ export type TUpdateProjectSecretManagerKmsKeyDTO = {
   projectId: string;
   kms: { type: KmsType.Internal } | { type: KmsType.External; kmsId: string };
 };
+
+export enum RootKeyEncryptionStrategy {
+  Software = "SOFTWARE",
+  HSM = "HSM"
+}

backend/src/services/super-admin/super-admin-service.ts

@@ -10,7 +10,10 @@ import { BadRequestError, NotFoundError } from "@app/lib/errors";
 
 import { TAuthLoginFactory } from "../auth/auth-login-service";
 import { AuthMethod } from "../auth/auth-type";
+import { KMS_ROOT_CONFIG_UUID } from "../kms/kms-fns";
+import { TKmsRootConfigDALFactory } from "../kms/kms-root-config-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
+import { RootKeyEncryptionStrategy } from "../kms/kms-types";
 import { TOrgServiceFactory } from "../org/org-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TSuperAdminDALFactory } from "./super-admin-dal";
@@ -20,7 +23,8 @@ type TSuperAdminServiceFactoryDep = {
   serverCfgDAL: TSuperAdminDALFactory;
   userDAL: TUserDALFactory;
   authService: Pick<TAuthLoginFactory, "generateUserTokens">;
-  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey">;
+  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey" | "updateEncryptionStrategy">;
+  kmsRootConfigDAL: TKmsRootConfigDALFactory;
   orgService: Pick<TOrgServiceFactory, "createOrganization">;
   keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem">;
   licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">;
@@ -47,6 +51,7 @@ export const superAdminServiceFactory = ({
   authService,
   orgService,
   keyStore,
+  kmsRootConfigDAL,
   kmsService,
   licenseService
 }: TSuperAdminServiceFactoryDep) => {
@@ -288,12 +293,70 @@ export const superAdminServiceFactory = ({
     };
   };
 
+  const getConfiguredEncryptionStrategies = async () => {
+    const appCfg = getConfig();
+
+    const kmsRootCfg = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
+
+    if (!kmsRootCfg) {
+      throw new NotFoundError({ name: "KmsRootConfig", message: "KMS root configuration not found" });
+    }
+
+    const selectedStrategy = kmsRootCfg.encryptionStrategy;
+    const enabledStrategies: { enabled: boolean; strategy: RootKeyEncryptionStrategy }[] = [];
+
+    if (appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY) {
+      const basicStrategy = RootKeyEncryptionStrategy.Software;
+
+      enabledStrategies.push({
+        enabled: selectedStrategy === basicStrategy,
+        strategy: basicStrategy
+      });
+    }
+    if (appCfg.isHsmConfigured) {
+      const hsmStrategy = RootKeyEncryptionStrategy.HSM;
+
+      enabledStrategies.push({
+        enabled: selectedStrategy === hsmStrategy,
+        strategy: hsmStrategy
+      });
+    }
+
+    return {
+      strategies: enabledStrategies
+    };
+  };
+
+  const updateRootEncryptionStrategy = async (strategy: RootKeyEncryptionStrategy) => {
+    if (!licenseService.onPremFeatures.hsm) {
+      throw new BadRequestError({
+        message: "Failed to update encryption strategy due to plan restriction. Upgrade to Infisical's Enterprise plan."
+      });
+    }
+
+    const configuredStrategies = await getConfiguredEncryptionStrategies();
+
+    const foundStrategy = configuredStrategies.strategies.find((s) => s.strategy === strategy);
+
+    if (!foundStrategy) {
+      throw new BadRequestError({ message: "Invalid encryption strategy" });
+    }
+
+    if (foundStrategy.enabled) {
+      throw new BadRequestError({ message: "The selected encryption strategy is already enabled" });
+    }
+
+    await kmsService.updateEncryptionStrategy(strategy);
+  };
+
   return {
     initServerCfg,
     updateServerCfg,
     adminSignUp,
     getUsers,
     deleteUser,
-    getAdminSlackConfig
+    getAdminSlackConfig,
+    updateRootEncryptionStrategy,
+    getConfiguredEncryptionStrategies
   };
 };

cli/packages/api/model.go

@@ -136,8 +136,8 @@ type GetOrganizationsResponse struct {
 }
 
 type SelectOrganizationResponse struct {
-	Token string `json:"token"`
-	MfaEnabled bool `json:"isMfaEnabled"`
+	Token      string `json:"token"`
+	MfaEnabled bool   `json:"isMfaEnabled"`
 }
 
 type SelectOrganizationRequest struct {

docs/documentation/platform/kms/hsm-integration.mdx

@@ -0,0 +1,262 @@
+---
+title: "HSM Integration"
+description: "Learn more about integrating an HSM with Infisical KMS."
+---
+
+<Note>
+  Changing the encryption strategy for your instance is an Enterprise-only feature.
+  This section is intended for users who have obtained an Enterprise license and are on-premise.
+
+
+  Please reach out to sales@infisical.com if you have any questions.
+</Note>
+
+## Overview
+
+Infisical KMS currently supports two encryption strategies:
+1. **Standard Encryption**: This is the default encryption strategy used by Infisical KMS. It uses a software-protected encryption key to encrypt KMS keys within your Infisical instance. The root encryption key is defined by setting the `ENCRYPTION_KEY` environment variable.
+2. **Hardware Security Module (HSM)**: This encryption strategy uses a Hardware Security Module (HSM) to create a root encryption key that is stored on a physical device to encrypt the KMS keys within your instance.
+
+## Hardware Security Module (HSM)
+
+![HSM Illustration](/images/platform/kms/hsm/hsm-illustration.png)
+
+Using a hardware security module comes with the added benefit of having a secure and tamper-proof device to store your encryption keys. This ensures that your data is protected from unauthorized access.
+
+<Warning>
+  All encryption keys used for cryptographic operations are stored within the HSM. This means that if the HSM is lost or destroyed, you will no longer be able to decrypt your data stored within Infisical. Most providers offer recovery options for HSM devices, which you should consider when setting up an HSM device.
+</Warning>
+
+Enabling HSM encryption has a set of key benefits:
+1. **Root Key Wrapping**: The root KMS encryption key that is used to secure your Infisical instance will be encrypted using the HSM device rather than the standard software-protected key.
+2. **FIPS 140-2/3 Compliance**: Using an HSM device ensures that your Infisical instance is FIPS 140-2 or FIPS 140-3 compliant. For FIPS 140-3, ensure that your HSM is FIPS 140-3 validated.
+
+#### Caveats
+- **Performance**: Using an HSM device can have a performance impact on your Infisical instance. This is due to the additional latency introduced by the HSM device. This is however only noticeable when your instance(s) start up or when the encryption strategy is changed.
+- **Key Recovery**: If the HSM device is lost or destroyed, you will no longer be able to decrypt your data stored within Infisical. Most HSM providers offer recovery options, which you should consider when setting up an HSM device.
+
+### Requirements
+- An Infisical instance with a version number that is equal to or greater than `v0.91.0`.
+- If you are using Docker, your instance must be using the `infisical/infisical-fips` image.
+- An HSM device from a provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm), [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), or others.
+
+
+### FIPS Compliance
+FIPS, also known as the Federal Information Processing Standard, is a set of standards that are used to accredit cryptographic modules. FIPS 140-2 and FIPS 140-3 are the two most common standards used for cryptographic modules. If your HSM uses FIPS 140-3 validated hardware, Infisical will automatically be FIPS 140-3 compliant. If your HSM uses FIPS 140-2 validated hardware, Infisical will be FIPS 140-2 compliant.
+
+HSM devices are especially useful for organizations that operate in regulated industries such as healthcare, finance, and government, where data security and compliance are of the utmost importance.
+
+For organizations that work with US government agencies, FIPS compliance is almost always a requirement when dealing with sensitive information. FIPS compliance ensures that the cryptographic modules used by the organization meet the security requirements set by the US government.
+
+## Setup Instructions
+
+
+<Steps>
+    <Step title="Setting up an HSM Device">
+        To set up HSM encryption, you need to configure an HSM provider and HSM key. The HSM provider is used to connect to the HSM device, and the HSM key is used to encrypt Infisical's KMS keys. We recommend using a Cloud HSM provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm) or [AWS CloudHSM](https://aws.amazon.com/cloudhsm/).
+
+        You need to follow the instructions provided by the HSM provider to set up the HSM device. Once the HSM device is set up, the HSM device can be used within Infisical.
+
+        After setting up the HSM from your provider, you will have a set of files that you can use to access the HSM. These files need to be present on the machine where Infisical is running.
+        If you are using containers, you will need to mount the folder where these files are stored as a volume in the container.
+
+        The setup process for an HSM device varies depending on the provider. We have created a guide for Thales Luna Cloud HSM, which you can find below.
+        
+    </Step>
+    <Step title="Configure HSM on Infisical">
+
+    <Warning>
+      Are you using Docker? If you are using Docker, please follow the instructions in the [Using HSM's with Docker](#using-hsms-with-docker) section.
+    </Warning>
+
+        Configuring the HSM on Infisical requires setting a set of environment variables:
+        - `HSM_LIB_PATH`: The path to the PKCS#11 library provided by the HSM provider. This usually comes in the form of a `.so` for Linux and MacOS, or a `.dll` file for Windows. For Docker, you need to mount the library path as a volume. Further instructions can be found below. If you are using Docker, make sure to set the HSM_LIB_PATH environment variable to the path where the library is mounted in the container.
+        - `HSM_PIN`: The PKCS#11 PIN to use for authentication with the HSM device.
+        - `HSM_SLOT`: The slot number to use for the HSM device. This is typically between `0` and `5` for most HSM devices.
+        - `HSM_KEY_LABEL`: The label of the key to use for encryption. **Please note that if no key is found with the provided label, the HSM will create a new key with the provided label.**
+
+        You can read more about the [default instance configurations](/self-hosting/configuration/envars) here.
+    </Step>
+    <Step title="Restart Instance">
+        After setting up the HSM, you need to restart the Infisical instance for the changes to take effect.
+    </Step>
+    <Step title="Navigate to the Server Admin Console">
+        ![Server Admin Console](/images/platform/kms/hsm/server-admin-console.png)
+    </Step>
+    <Step title="Update the KMS Encryption Strategy to HSM">
+        ![Set Encryption Strategy](/images/platform/kms/hsm/encryption-strategy.png)
+
+        Once you press the 'Save' button, your Infisical instance will immediately switch to the HSM encryption strategy. This will re-encrypt your KMS key with keys from the HSM device.
+    </Step>
+    <Step title="Verify Encryption Strategy">
+        To verify that the HSM was correctly configured, you can try creating a new secret in one of your projects. If the secret is created successfully, the HSM is now being used for encryption.
+    </Step>
+</Steps>
+
+
+## Using HSMs with Docker
+When using Docker, you need to mount the path containing the HSM client files. This section covers how to configure your Infisical instance to use an HSM with Docker.
+<Tabs>
+  <Tab title="Thales Luna Cloud HSM">
+    <Steps>
+      <Step title="Create HSM client folder">
+        When using Docker, you are able to set your HSM library path to any location on your machine. In this example, we are going to be using `/etc/luna-docker`.
+
+        ```bash
+          mkdir /etc/luna-docker
+        ```
+
+        After [setting up your Luna Cloud HSM client](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/install/client_install/add_dpod.htm), you should have a set of files, referred to as the HSM client. You don't need all the files, but for simplicity we recommend copying all the files from the client.
+
+        A folder structure of a client folder will often look like this:
+        ```
+        partition-ca-certificate.pem
+        partition-certificate.pem
+        server-certificate.pem
+        Chrystoki.conf
+        /plugins
+          libcloud.plugin
+        /lock
+        /libs
+          /64
+            libCryptoki2.so
+        /jsp
+          LunaProvider.jar
+          /64
+            libLunaAPI.so
+        /etc
+          openssl.cnf
+        /bin
+          /64
+            ckdemo
+            lunacm
+            multitoken
+            vtl
+        ```
+        
+        The most important parts of the client folder is the `Chrystoki.conf` file, and the `libs`, `plugins`, and `jsp` folders. You need to copy these files to the folder you created in the first step.
+
+        ```bash
+          cp -r /<path-to-where-your-luna-client-is-located> /etc/luna-docker
+        ```
+
+      </Step>
+
+      <Step title="Update Chrystoki.conf">
+        The `Chrystoki.conf` file is used to configure the HSM client. You need to update the `Chrystoki.conf` file to point to the correct file paths.
+
+        In this example, we will be mounting the `/etc/luna-docker` folder to the Docker container under a different path. The path we will use in this example is `/usr/safenet/lunaclient`. This means `/etc/luna-docker` will be mounted to `/usr/safenet/lunaclient` in the Docker container.
+
+        An example config file will look like this:
+
+        ```Chrystoki.conf
+            Chrystoki2 = {
+              # This path points to the mounted path, /usr/safenet/lunaclient
+              LibUNIX64 = /usr/safenet/lunaclient/libs/64/libCryptoki2.so;
+            }
+
+            Luna = {
+              DefaultTimeOut = 500000;
+              PEDTimeout1 = 100000;
+              PEDTimeout2 = 200000;
+              PEDTimeout3 = 20000;
+              KeypairGenTimeOut = 2700000;
+              CloningCommandTimeOut = 300000;
+              CommandTimeOutPedSet = 720000;
+            }
+
+            CardReader = {
+              LunaG5Slots = 0;
+              RemoteCommand = 1;
+            }
+
+            Misc = {
+              # Update the paths to point to the mounted path if your folder structure is different from the one mentioned in the previous step.
+              PluginModuleDir = /usr/safenet/lunaclient/plugins;
+              MutexFolder = /usr/safenet/lunaclient/lock;
+              PE1746Enabled = 1;
+              ToolsDir = /usr/bin;
+
+            }
+
+            Presentation = {
+              ShowEmptySlots = no;
+            }
+
+            LunaSA Client = {
+              ReceiveTimeout = 20000;
+              # Update the paths to point to the mounted path if your folder structure is different from the one mentioned in the previous step.
+              SSLConfigFile = /usr/safenet/lunaclient/etc/openssl.cnf;
+              ClientPrivKeyFile = ./etc/ClientNameKey.pem;
+              ClientCertFile = ./etc/ClientNameCert.pem;
+              ServerCAFile = ./etc/CAFile.pem;
+              NetClient = 1;
+              TCPKeepAlive = 1;
+            }
+
+
+            REST = {
+              AppLogLevel = error
+              ServerName = <REDACTED>;
+              ServerPort = 443;
+              AuthTokenConfigURI = <REDACTED>;
+              AuthTokenClientId = <REDACTED>;
+              AuthTokenClientSecret = <REDACTED>;
+              RestClient = 1;
+              ClientTimeoutSec = 120;
+              ClientPoolSize = 32;
+              ClientEofRetryCount = 15;
+              ClientConnectRetryCount = 900;
+              ClientConnectIntervalMs = 1000;
+            }
+            XTC = {
+              Enabled = 1;
+              TimeoutSec = 600;
+            }
+        ```
+
+        Save the file after updating the paths.
+      </Step>
+
+      <Step title="Run Docker">
+        Running Docker with HSM encryption requires setting the HSM-related environment variables as mentioned previously in the [HSM setup instructions](#setup-instructions). You can set these environment variables in your Docker run command.
+
+        We are setting the environment variables for Docker via the command line in this example, but you can also pass in a `.env` file to set these environment variables.
+
+        <Warning>
+          If no key is found with the provided key label, the HSM will create a new key with the provided label.
+          Infisical depends on an AES and HMAC key to be present in the HSM. If these keys are not present, Infisical will create them. The AES key label will be the value of the `HSM_KEY_LABEL` environment variable, and the HMAC key label will be the value of the `HSM_KEY_LABEL` environment variable with the suffix `_HMAC`.
+        </Warning>
+
+        ```bash
+        docker run -p 80:8080 \
+          -v /etc/luna-docker:/usr/safenet/lunaclient \
+          -e HSM_LIB_PATH="/usr/safenet/lunaclient/libs/64/libCryptoki2.so" \
+          -e HSM_PIN="<your-hsm-device-pin>" \
+          -e HSM_SLOT=<hsm-device-slot> \
+          -e HSM_KEY_LABEL="<your-key-label>" \
+        
+          # The rest are unrelated to HSM setup...
+          -e ENCRYPTION_KEY="<>" \
+          -e AUTH_SECRET="<>" \
+          -e DB_CONNECTION_URI="<>" \
+          -e REDIS_URL="<>" \
+          -e SITE_URL="<>" \
+          infisical/infisical-fips:<version> # Replace <version> with the version you want to use
+        ```
+
+        We recommend reading further about [using Infisical with Docker](/self-hosting/deployment-options/standalone-infisical).
+
+      </Step>
+    </Steps>
+    After following these steps, your Docker setup will be ready to use HSM encryption.
+  </Tab>
+</Tabs>
+
+## Disabling HSM Encryption
+
+To disable HSM encryption, navigate to Infisical's Server Admin Console and set the KMS encryption strategy to `Software-based Encryption`. This will revert the encryption strategy back to the default software-based encryption.
+
+<Note>
+  In order to disable HSM encryption, the Infisical instance must be able to access the HSM device. If the HSM device is no longer accessible, you will not be able to disable HSM encryption.
+</Note>

docs/documentation/platform/kms/overview.mdx

@@ -8,6 +8,10 @@ description: "Learn how to manage and use cryptographic keys with Infisical."
 
 Infisical can be used as a Key Management System (KMS), referred to as Infisical KMS, to centralize management of keys to be used for cryptographic operations like encryption/decryption.
 
+By default your Infisical data such as projects and the data within them are encrypted at rest using Infisical's own KMS. This ensures that your data is secure and protected from unauthorized access.
+
+If you are on-premise, your KMS root key will be created at random with the `ROOT_ENCRYPTION_KEY` environment variable. You can also use a Hardware Security Module (HSM), to create the root key. Read more about [HSM](/docs/documentation/platform/kms/encryption-strategies). 
+
 <Note>
   Keys managed in KMS are not extractable from the platform. Additionally, data
   is never stored when performing cryptographic operations.

docs/mint.json

@@ -118,6 +118,7 @@
           "group": "Key Management (KMS)",
           "pages": [
             "documentation/platform/kms/overview",
+            "documentation/platform/kms/hsm-integration",
             "documentation/platform/kms/kubernetes-encryption"
           ]
         },
@@ -291,7 +292,10 @@
         },
         {
           "group": "Reference architectures",
-          "pages": ["self-hosting/reference-architectures/aws-ecs"]
+          "pages": [
+            "self-hosting/reference-architectures/aws-ecs",
+            "self-hosting/reference-architectures/linux-deployment-ha"
+          ]
         },
         "self-hosting/ee",
         "self-hosting/faq"

docs/self-hosting/deployment-options/native/high-availability.mdx

@@ -1,520 +0,0 @@
----
-title: "Automatically deploy Infisical with High Availability"
-sidebarTitle: "High Availability"
----
-
-
-# Self-Hosting Infisical with a native High Availability (HA) deployment
-
-This page describes the Infisical architecture designed to provide high availability (HA) and how to deploy Infisical with high availability. The high availability deployment is designed to ensure that Infisical services are always available and can handle service failures gracefully, without causing service disruptions.
-
-<Info>
-  This deployment option is currently only available for Debian-based nodes (e.g., Ubuntu, Debian).
-  We plan on adding support for other operating systems in the future.
-</Info>
-
-## High availability architecture
-| Service                          | Nodes          | Configuration                | GCP           | AWS          |
-|----------------------------------|----------------|------------------------------|---------------|--------------|
-| External load balancer$^1$       | 1              | 4 vCPU, 3.6 GB memory        | n1-highcpu-4  | c5n.xlarge   |
-| Internal load balancer$^2$       | 1              | 4 vCPU, 3.6 GB memory        | n1-highcpu-4  | c5n.xlarge   |
-| Etcd cluster$^3$                 | 3              | 4 vCPU, 3.6 GB memory        | n1-highcpu-4  | c5n.xlarge   |
-| PostgreSQL$^4$                   | 3              | 2 vCPU, 7.5 GB memory        | n1-standard-2 | m5.large     |
-| Sentinel$^4$                     | 3              | 2 vCPU, 7.5 GB memory        | n1-standard-2 | m5.large     |
-| Redis$^4$                        | 3              | 2 vCPU, 7.5 GB memory        | n1-standard-2 | m5.large     |
-| Infisical Core                   | 3              | 8 vCPU, 7.2 GB memory        | n1-highcpu-8  | c5.2xlarge   |
-
-**Footnotes:**
-1. External load balancer: If you wish to have multiple instances of the internal load balancer, you will need to use an external load balancer to distribute incoming traffic across multiple internal load balancers.
-   Using multiple internal load balancers is recommended for high-traffic environments. In the following guide we will use a single internal load balancer, as external load balancing falls outside the scope of this guide.
-2. Internal load balancer: The internal load balancer (a HAProxy instance) is used to distribute incoming traffic across multiple Infisical Core instances, Postgres nodes, and Redis nodes. The internal load balancer exposes a set of ports _(80 for Infiscial, 5000 for Read/Write postgres, 5001 for Read-only postgres, and 6379 for Redis)_. Where these ports route to is determained by the internal load balancer based on the availability and health of the service nodes.
-   The internal load balancer is only accessible from within the same network, and is not exposed to the public internet.
-3. Etcd cluster: Etcd is a distributed key-value store used to store and distribute data between the PostgreSQL nodes. Etcd is dependent on high disk I/O performance, therefore it is highly recommended to use highly performant SSD disks for the Etcd nodes, with _at least_ 80GB of disk space.
-4. The Redis and PostgreSQL nodes will automatically be configured for high availability and used in your Infisical Core instances. However, you can optionally choose to bring your own database (BYOD), and skip these nodes. See more on how to [provide your own databases](#provide-your-own-databases).
-
-<Info>
- For all services that require multiple nodes, it is recommended to deploy them across multiple availability zones (AZs) to ensure high availability and fault tolerance. This will help prevent service disruptions in the event of an AZ failure.
-</Info>
-
-![High availability stack](../../images/self-hosting/deployment-options/native/ha-stack.png)
-The image above shows how a high availability deployment of Infisical is structured. In this example, an external load balancer is used to distribute incoming traffic across multiple internal load balancers. The internal load balancers. The external load balancer isn't required, and it will require additional configuration to set up.
-
-###  Fault Tolerance
-This setup provides N+1 redundancy, meaning it can tolerate the failure of any single node without service interruption.
-
-## Ansible
-### What is Ansible
-Ansible is an open-source automation tool that simplifies application deployment, configuration management, and task automation.
-At Infisical, we use Ansible to automate the deployment of Infisical services. The Ansible roles are designed to make it easy to deploy Infisical services in a high availability environment.
-
-### Installing Ansible
-<Steps>
-  <Step title="Install using the pipx Python package manager">
-    ```bash
-      pipx install --include-deps ansible
-    ```
-  </Step>
-  <Step title="Verify the installation">
-    ```bash
-      ansible --version
-    ```
-  </Step>
-</Steps>
-
-
-### Understanding Ansible Concepts
-
-* Inventory _(inventory.ini)_: A file that lists your target hosts.
-* Playbook _(playbook.yml)_: YAML file containing a set of tasks to be executed on hosts.
-* Roles: Reusable units of organization for playbooks. Roles are used to group tasks together in a structured and reusable manner.
-
-
-### Basic Ansible Commands
-Running a playbook with with an invetory file:
-```bash
-  ansible-playbook -i inventory.ini playbook.yml
-```
-
-This is how you would run the playbook containing the roles for setting up Infisical in a high availability environment.
-
-### Installing the Infisical High Availability Deployment Ansible Role
-The Infisical Ansible role is available on Ansible Galaxy. You can install the role by running the following command:
-```bash
-  ansible-galaxy collection install infisical.infisical_core_ha_deployment
-```
-
-
-## Set up components
-1. External load balancer (optional, and not covered in this guide)
-2. [Configure Etcd cluster](#configure-etcd-cluster)
-3. [Configure PostgreSQL database](#configure-postgresql-database)
-4. [Configure Redis/Sentinel](#configure-redis-and-sentinel)
-5. [Configure Infisical Core](#configure-infisical-core)
-
-
-The servers start on the same 52.1.0.0/24 private network range, and can connect to each other freely on these addresses.
-
-The following list includes descriptions of each server and its assigned IP:
-
-52.1.0.1:   External Load Balancer
-52.1.0.2:   Internal Load Balancer
-52.1.0.3:   Etcd 1
-52.1.0.4:   Etcd 2
-52.1.0.5:   Etcd 3
-52.1.0.6:   PostgreSQL 1
-52.1.0.7:   PostgreSQL 2
-52.1.0.8:   PostgreSQL 3
-52.1.0.9:   Redis 1
-52.1.0.10:  Redis 2
-52.1.0.11:  Redis 3
-52.1.0.12:  Sentinel 1
-52.1.0.13:  Sentinel 2
-52.1.0.14:  Sentinel 3
-52.1.0.15: Infisical Core 1
-52.1.0.16: Infisical Core 2
-52.1.0.17: Infisical Core 3
-
-
-
-### Configure Etcd cluster
-
-Configuring the ETCD cluster is the first step in setting up a high availability deployment of Infisical.
-The ETCD cluster is used to store and distribute data between the PostgreSQL nodes. The ETCD cluster is a distributed key-value store that is highly available and fault-tolerant.
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Set up etcd cluster
-    hosts: etcd
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: etcd
-```
-
-```ini example.inventory.ini
-  [etcd]
-  etcd1 ansible_host=52.1.0.3
-  etcd2 ansible_host=52.1.0.4
-  etcd3 ansible_host=52.1.0.5
-
-  [etcd:vars]
-  ansible_user=ubuntu
-  ansible_ssh_private_key_file=./ssh-key.pem
-  ansible_ssh_common_args='-o StrictHostKeyChecking=no'
-```
-
-### Configure PostgreSQL database
-
-The Postgres role takes a set of parameters that are used to configure your PostgreSQL database.
-
-Make sure to set the following variables in your playbook.yml file:
-- `postgres_super_user_password`: The password for the 'postgres' database user.
-- `postgres_db_name`: The name of the database that will be created on the leader node and replicated to the secondary nodes.
-- `postgres_user`: The name of the user that will be created on the leader node and replicated to the secondary nodes.
-- `postgres_user_password`: The password for the user that will be created on the leader node and replicated to the secondary nodes.
-- `etcd_hosts`: The list of etcd hosts that the PostgreSQL nodes will use to communicate with etcd. By default you want to keep this value set to `"{{ groups['etcd'] }}"`
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Set up PostgreSQL with Patroni
-    hosts: postgres
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: postgres
-        vars:
-          postgres_super_user_password: "your-super-user-password"
-          postgres_user: infisical-user
-          postgres_user_password: "your-password"
-          postgres_db_name: infisical-db
-
-          etcd_hosts: "{{ groups['etcd'] }}"
-```
-
-```ini example.inventory.ini
-  [postgres]
-  postgres1 ansible_host=52.1.0.6
-  postgres2 ansible_host=52.1.0.7
-  postgres3 ansible_host=52.1.0.8
-```
-
-### Configure Redis and Sentinel
-
-The Redis role takes a single variable as input, which is the redis password.
-The Sentinel and Redis hosts will run the same role, therefore we are running the task for both the sentinel and redis hosts, `hosts: redis:sentinel`.
-
-- `redis_password`: The password that will be set for the Redis instance.
-  
-```yaml example.playbook.yml
-    - hosts: all
-      gather_facts: true
-  
-    - name: Setup Redis and Sentinel
-      hosts: redis:sentinel
-      become: true
-      collections:
-        - infisical.infisical_core_ha_deployment
-      roles:
-        - role: redis
-          vars:
-            redis_password: "REDIS_PASSWORD"
-```
-
-```ini example.inventory.ini
-    [redis]
-    redis1 ansible_host=52.1.0.9
-    redis2 ansible_host=52.1.0.10
-    redis3 ansible_host=52.1.0.11
-
-    [sentinel]
-    sentinel1 ansible_host=52.1.0.12
-    sentinel2 ansible_host=52.1.0.13
-    sentinel3 ansible_host=52.1.0.14
-```
-
-### Configure Internal Load Balancer
-
-The internal load balancer used is HAProxy. HAProxy will expose a set of ports as listed below. Each port will route to a different service based on the availability and health of the service nodes.
-
-- Port 80: Infisical Core
-- Port 5000: Read/Write PostgreSQL
-- Port 5001: Read-only PostgreSQL
-- Port 6379: Redis
-- Port 7000: HAProxy monitoring
-These ports will need to be exposed on your network to become accessible from the outside world.
-
-The HAProxy configuration file is generated by the Infisical Core role, and is located at `/etc/haproxy/haproxy.cfg` on your internal load balancer node.
-
-The HAProxy setup comes with a monitoring panel. You have to set the username/password combination for the monitoring panel by setting the `stats_user` and `stats_password` variables in the HAProxy role.
-
-
-Once the HAProxy role has fully executed, you can monitor your HA setup by navigating to `http://52.1.0.2:7000/haproxy?stats` in your browser.
-
-```ini example.inventory.ini
-[haproxy]
-internal_lb ansible_host=52.1.0.2
-```
-
-```yaml example.playbook.yml
-- name: Set up HAProxy
-  hosts: haproxy
-  become: true
-  collections:
-    - infisical.infisical_core_ha_deployment
-  roles:
-    - role: haproxy
-      vars:
-        stats_user: "stats-username"
-        stats_password: "stats-password!"
-
-        postgres_servers: "{{ groups['postgres'] }}"
-        infisical_servers: "{{ groups['infisical'] }}"
-        redis_servers: "{{ groups['redis'] }}"
-```
-
-
-
-### Configure Infisical Core
-
-The Infisical Core role will set up your actual Infisical instances.
-
-The `env_vars` variable is used to set the environment variables that Infisical will use. The minimum required environment variables are `ENCRYPTION_KEY` and `AUTH_SECRET`. You can find a list of all available environment variables [here](/docs/self-hosting/configuration/envars#general-platform).
-The `DB_CONNECTION_URI` and `REDIS_URL` variables will automatically be set if you're running the full playbook. However, you can choose to set them yourself, and skip the Postgres, etcd, redis/sentinel roles entirely.
-
-<Info>
- If you later need to add new environment varibles to your Infisical deployments, it's important you add the variables to **all** your Infisical nodes.<br/>
- You can find the environment file for Infisical at `/etc/infisical/environment`.<br/>
- After editing the environment file, you need to reload the Infisical service by doing `systemctl restart infisical`.
-</Info>
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Setup Infisical
-    hosts: infisical
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: infisical
-        env_vars:
-          ENCRYPTION_KEY: "YOUR_ENCRYPTION_KEY" # openssl rand -hex 16
-          AUTH_SECRET: "YOUR_AUTH_SECRET" # openssl rand -base64 32
-```
-
-```ini example.inventory.ini
-  [infisical]
-  infisical1 ansible_host=52.1.0.15
-  infisical2 ansible_host=52.1.0.16
-  infisical3 ansible_host=52.1.0.17
-```
-
-## Provide your own databases
-Bringing your own database is an option using the Infisical Core deployment role.
-By bringing your own database, you're able to skip the Etcd, Postgres, and Redis/Sentinel roles entirely.
-
-To bring your own database, you need to set the `DB_CONNECTION_URI` and `REDIS_URL` environment variables in the Infisical Core role.
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Setup Infisical
-    hosts: infisical
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: infisical
-        env_vars:
-          ENCRYPTION_KEY: "YOUR_ENCRYPTION_KEY" # openssl rand -hex 16
-          AUTH_SECRET: "YOUR_AUTH_SECRET" # openssl rand -base64 32
-          DB_CONNECTION_URI: "postgres://user:password@localhost:5432/infisical"
-          REDIS_URL: "redis://localhost:6379"
-```
-
-```ini example.inventory.ini
-  [infisical]
-  infisical1 ansible_host=52.1.0.15
-  infisical2 ansible_host=52.1.0.16
-  infisical3 ansible_host=52.1.0.17
-```
-
-## Full deployment example
-To make it easier to get started, we've provided a full deployment example that you can use to deploy Infisical in a high availability environment.
-
-- This deployment does not use an external load balancer.
-- You **must** change the environment variables defined in the `playbook.yml` example.
-- You have update the IP addresses in the `inventory.ini` file to match your own network configuration.
-- You need to set the SSH key and ssh user in the `inventory.ini` file.
-
-<Steps>
-  <Step title="Install Ansible">
-    Install Ansible using the pipx Python package manager.
-  ```bash
-    pipx install --include-deps ansible
-  ```
-
-  </Step>
-  <Step title="Install the Infisical deployment Ansible Role">
-    Install the Infisical deployment role from Ansible Galaxy.
-  ```bash
-    ansible-galaxy collection install infisical.infisical_core_ha_deployment
-  ```
-  </Step>
-  <Step title="Setup your hosts">
-
-    Create an `inventory.ini` file, and define your hosts and their IP addresses. You can use the example below as a template, and update the IP addresses to match your own network configuration.
-    Make sure to set the SSH key and ssh user in the `inventory.ini` file. Please see the example below.
-
-    ```ini example.inventory.ini
-      [etcd]
-      etcd1 ansible_host=52.1.0.3
-      etcd2 ansible_host=52.1.0.4
-      etcd3 ansible_host=52.1.0.5
-
-      [postgres]
-      postgres1 ansible_host=52.1.0.6
-      postgres2 ansible_host=52.1.0.7
-      postgres3 ansible_host=52.1.0.8
-
-      [infisical]
-      infisical1 ansible_host=52.1.0.15
-      infisical2 ansible_host=52.1.0.16
-      infisical3 ansible_host=52.1.0.17
-
-      [redis]
-      redis1 ansible_host=52.1.0.9
-      redis2 ansible_host=52.1.0.10
-      redis3 ansible_host=52.1.0.11
-
-      [sentinel]
-      sentinel1 ansible_host=52.1.0.12
-      sentinel2 ansible_host=52.1.0.13
-      sentinel3 ansible_host=52.1.0.14
-
-      [haproxy]
-      internal_lb ansible_host=52.1.0.2
-
-      ; This can be defined individually for each host, or globally for all hosts.
-      ; In this case the credentials are the same for all hosts, so we define them globally as seen below ([all:vars]).
-      [all:vars]
-      ansible_user=ubuntu
-      ansible_ssh_private_key_file=./your-ssh-key.pem
-      ansible_ssh_common_args='-o StrictHostKeyChecking=no'
-    ```
-  </Step>
-  <Step title="Setup your Ansible playbook">
-    The Ansible playbook is where you define which roles/tasks to execute on which hosts.
-
-    ```yaml example.playbook.yml
-      ---
-      # Important, we must gather facts from all hosts prior to running the roles to ensure we have all the information we need.
-      - hosts: all
-        gather_facts: true
-
-      - name: Set up etcd cluster
-        hosts: etcd
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: etcd
-
-      - name: Set up PostgreSQL with Patroni
-        hosts: postgres
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: postgres
-            vars:
-              postgres_super_user_password: "<ENTER_SUPERUSER_PASSWORD>" # Password for the 'postgres' database user
-
-              # A database with these credentials will be created on the leader node, and replicated to the secondary nodes.
-              postgres_db_name: <ENTER_DB_NAME>
-              postgres_user: <ENTER_DB_USER>
-              postgres_user_password: <ENTER_DB_USER_PASSWORD>
-
-              etcd_hosts: "{{ groups['etcd'] }}"
-
-      - name: Setup Redis and Sentinel
-        hosts: redis:sentinel
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: redis
-            vars:
-              redis_password: "<ENTER_REDIS_PASSWORD>"
-
-      - name: Set up HAProxy
-        hosts: haproxy
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: haproxy
-            vars:
-              stats_user: "<ENTER_HAPROXY_STATS_USERNAME>"
-              stats_password: "<ENTER_HAPROXY_STATS_PASSWORD>"
-
-              postgres_servers: "{{ groups['postgres'] }}"
-              infisical_servers: "{{ groups['infisical'] }}"
-              redis_servers: "{{ groups['redis'] }}"
-      - name: Setup Infisical
-        hosts: infisical
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: infisical
-            env_vars:
-              ENCRYPTION_KEY: "YOUR_ENCRYPTION_KEY" # openssl rand -hex 16
-              AUTH_SECRET: "YOUR_AUTH_SECRET" # openssl rand -base64 32
-  ```
-  </Step>
-  <Step title="Run the Ansible playbook">
-    After creating the `playbook.yml` and `inventory.ini` files, you can run the playbook using the following command
-  ```bash
-      ansible-playbook -i inventory.ini playbook.yml
-  ```
-
-  This step may take upwards of 10 minutes to complete, depending on the number of nodes and the network speed.
-  Once the playbook has completed, you should have a fully deployed high availability Infisical environment.
-
-  To access Infisical, you can try navigating to `http://52.1.0.2`, in order to view your newly deployed Infisical instance.
-  </Step>
-</Steps>
-
-
-## Post-deployment steps
-After deploying Infisical in a high availability environment, you should perform the following post-deployment steps:
-- Check your deployment to ensure that all services are running as expected. You can use the HAProxy monitoring panel to check the status of your services (http://52.1.0.2:7000/haproxy?stats)
-- Attempt to access the Infisical Core instances to ensure that they are accessible from the internal load balancer. (http://52.1.0.2)
-
-A HAProxy stats page indicating success will look like the image below
-![HAProxy stats page](../../images/self-hosting/deployment-options/native/haproxy-stats.png)
-
-
-## Security Considerations
-### Network Security
-Secure the network that your instances run on. While this falls outside the scope of Infisical deployment, it's crucial for overall security.
-AWS-specific recommendations:
-
-Use Virtual Private Cloud (VPC) to isolate your infrastructure.
-Configure security groups to restrict inbound and outbound traffic.
-Use Network Access Control Lists (NACLs) for additional network-level security.
-
-<Note>
-  Please take note that the Infisical team cannot provide infrastructure support for **free self-hosted** deployments.<br/>If you need help with infrastructure, we recommend upgrading to a [paid plan](https://infisical.com/pricing) which includes infrastructure support.
-
-  You can also join our community [Slack](https://infisical.com/slack) for help and support from the community. 
-</Note>
-
-
-### Troubleshooting
-<Accordion title="Ansible: Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user">
-  If you encounter this issue, please update your ansible config (`ansible.cfg`) file with the following configuration:
-  ```ini
-    [defaults]
-    allow_world_readable_tmpfiles = true
-  ```
-
-  You can read more about the solution [here](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/sh_shell.html#parameter-world_readable_temp)
-</Accordion>
-
-<Accordion title="I'm unable to connect to access the Infisical instance on the web">
-  This issue can be caused by a number of reasons, mostly realted to  the network configuration. Here are a few things you can check:
-  1. Ensure that the firewall is not blocking the connection. You can check this by running `ufw status`. Ensure that port 80 is open.
-  2. If you're using a cloud provider like AWS or GCP, ensure that the security group allows traffic on port 80.
-  3. Ensure that the HAProxy service is running. You can check this by running `systemctl status haproxy`.
-  4. Ensure that the Infisical service is running. You can check this by running `systemctl status infisical`.
-</Accordion>

docs/self-hosting/reference-architectures/aws-ecs.mdx

@@ -1,5 +1,5 @@
 ---
-title: "AWS ECS"
+title: "AWS ECS (HA)"
 description: "Reference architecture for self-hosting Infisical on AWS ECS"
 ---
 

docs/self-hosting/reference-architectures/linux-deployment-ha.mdx

@@ -0,0 +1,383 @@
+---
+title: "Linux (HA)"
+description: "Infisical High Availability Deployment architecture for Linux"
+---
+
+This guide describes how to achieve a highly available deployment of Infisical on Linux machines without containerization. The architecture provided serves as a foundation for minimum high availability, which you can scale based on your specific requirements.
+
+## Architecture Overview
+
+![High availability stack](/images/self-hosting/deployment-options/native/ha-stack.png)
+
+The deployment consists of the following key components:
+
+| Service                    | Nodes | Recommended Specs         | GCP Instance    | AWS Instance |
+|---------------------------|-------|---------------------------|-----------------|--------------|
+| External Load Balancer    | 1     | 4 vCPU, 4 GB memory      | n1-highcpu-4   | c5n.xlarge   |
+| Internal Load Balancer    | 1     | 4 vCPU, 4 GB memory      | n1-highcpu-4   | c5n.xlarge   |
+| Etcd Cluster              | 3     | 4 vCPU, 4 GB memory      | n1-highcpu-4   | c5n.xlarge   |
+| PostgreSQL Cluster        | 3     | 2 vCPU, 8 GB memory      | n1-standard-2  | m5.large     |
+| Redis + Sentinel          | 3+3   | 2 vCPU, 8 GB memory      | n1-standard-2  | m5.large     |
+| Infisical Core           | 3     | 2 vCPU, 4 GB memory      |  n1-highcpu-2   | c5.large   |
+
+### Network Architecture
+
+All servers operate within the 52.1.0.0/24 private network range with the following IP assignments:
+
+| Service               | IP Address |
+|----------------------|------------|
+| External Load Balancer| 52.1.0.1   |
+| Internal Load Balancer| 52.1.0.2   |
+| Etcd Node 1          | 52.1.0.3   |
+| Etcd Node 2          | 52.1.0.4   |
+| Etcd Node 3          | 52.1.0.5   |
+| PostgreSQL Node 1     | 52.1.0.6   |
+| PostgreSQL Node 2     | 52.1.0.7   |
+| PostgreSQL Node 3     | 52.1.0.8   |
+| Redis Node 1         | 52.1.0.9   |
+| Redis Node 2         | 52.1.0.10  |
+| Redis Node 3         | 52.1.0.11  |
+| Sentinel Node 1      | 52.1.0.12  |
+| Sentinel Node 2      | 52.1.0.13  |
+| Sentinel Node 3      | 52.1.0.14  |
+| Infisical Core 1     | 52.1.0.15  |
+| Infisical Core 2     | 52.1.0.16  |
+| Infisical Core 3     | 52.1.0.17  |
+
+## Component Setup Guide
+
+### 1. Configure Etcd Cluster
+
+The Etcd cluster is needed for leader election in the PostgreSQL HA setup. Skip this step if using managed PostgreSQL.
+
+1. Install Etcd on each node:
+```bash
+sudo apt update
+sudo apt install etcd
+```
+
+2. Configure each node with unique identifiers and cluster membership. Example configuration for Node 1 (`/etc/etcd/etcd.conf`):
+```yaml
+name: etcd1
+data-dir: /var/lib/etcd
+initial-cluster-state: new
+initial-cluster-token: etcd-cluster-1
+initial-cluster: etcd1=http://52.1.0.3:2380,etcd2=http://52.1.0.4:2380,etcd3=http://52.1.0.5:2380
+initial-advertise-peer-urls: http://52.1.0.3:2380
+listen-peer-urls: http://52.1.0.3:2380
+listen-client-urls: http://52.1.0.3:2379,http://127.0.0.1:2379
+advertise-client-urls: http://52.1.0.3:2379
+```
+
+### 2. Configure PostgreSQL
+
+For production deployments, you have two options for highly available PostgreSQL:
+
+#### Option A: Managed PostgreSQL Service (Recommended for Most Users)
+
+Use cloud provider managed services:
+- AWS: Amazon RDS for PostgreSQL with Multi-AZ
+- GCP: Cloud SQL for PostgreSQL with HA configuration
+- Azure: Azure Database for PostgreSQL with zone redundant HA
+
+These services handle replication, failover, and maintenance automatically.
+
+#### Option B: Self-Managed PostgreSQL Cluster
+
+Full HA installation guide of PostgreSQL is beyond the scope of this document. However, we have provided an overview of resources and code snippets below to guide your deployment.
+
+1. Required Components:
+   - PostgreSQL 14+ on each node
+   - Patroni for cluster management
+   - Etcd for distributed consensus
+
+2. Documentation we recommend you read:
+   - [Complete Patroni Setup Guide](https://patroni.readthedocs.io/en/latest/README.html)
+   - [PostgreSQL Replication Documentation](https://www.postgresql.org/docs/current/high-availability.html)
+
+3. Key Steps Overview:
+```bash
+# 1. Install requirements on each PostgreSQL node
+sudo apt update
+sudo apt install -y postgresql-14 postgresql-contrib-14 python3-pip
+pip3 install patroni[etcd] psycopg2-binary
+
+# 2. Create Patroni config directory
+sudo mkdir /etc/patroni
+sudo chown postgres:postgres /etc/patroni
+
+# 3. Create Patroni configuration (example for first node)
+# /etc/patroni/config.yml - REQUIRES CAREFUL CUSTOMIZATION
+```
+
+```yaml
+scope: infisical-cluster
+namespace: /db/
+name: postgresql1
+
+restapi:
+  listen: 52.1.0.6:8008
+  connect_address: 52.1.0.6:8008
+
+etcd:
+  hosts: 52.1.0.3:2379,52.1.0.4:2379,52.1.0.5:2379
+
+bootstrap:
+  dcs:
+    ttl: 30
+    loop_wait: 10
+    retry_timeout: 10
+    maximum_lag_on_failover: 1048576
+    postgresql:
+      use_pg_rewind: true
+      parameters:
+        max_connections: 1000
+        shared_buffers: 2GB
+        work_mem: 8MB
+        max_worker_processes: 8
+        max_parallel_workers_per_gather: 4
+        max_parallel_workers: 8
+        wal_level: replica
+        hot_standby: "on"
+        max_wal_senders: 10
+        max_replication_slots: 10
+        hot_standby_feedback: "on"
+```
+
+4. Important considerations:
+   - Proper disk configuration for WAL and data directories
+   - Network latency between nodes
+   - Backup strategy and point-in-time recovery
+   - Monitoring and alerting setup
+   - Connection pooling configuration
+   - Security and network access controls
+
+5. Recommended readings:
+   - [PostgreSQL Backup and Recovery](https://www.postgresql.org/docs/current/backup.html)
+   - [PostgreSQL Monitoring](https://www.postgresql.org/docs/current/monitoring.html)
+
+### 3. Configure Redis and Sentinel
+
+Similar to PostgreSQL, a full HA Redis setup guide is beyond the scope of this document. Below are the key resources and considerations for your deployment.
+
+#### Option A: Managed Redis Service (Recommended for Most Users)
+
+Use cloud provider managed Redis services:
+- AWS: ElastiCache for Redis with Multi-AZ
+- GCP: Memorystore for Redis with HA
+- Azure: Azure Cache for Redis with zone redundancy
+
+Follow your cloud provider's documentation:
+- [AWS ElastiCache Documentation](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html)
+- [GCP Memorystore Documentation](https://cloud.google.com/memorystore/docs/redis)
+- [Azure Redis Cache Documentation](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/)
+
+#### Option B: Self-Managed Redis Cluster
+
+Setting up a production Redis HA cluster requires understanding several components. Refer to these linked resources:
+
+1. Required Reading:
+   - [Redis Sentinel Documentation](https://redis.io/docs/management/sentinel/)
+   - [Redis Replication Guide](https://redis.io/topics/replication)
+   - [Redis Security Guide](https://redis.io/topics/security)
+
+2. Key Steps Overview:
+```bash
+# 1. Install Redis on all nodes
+sudo apt update
+sudo apt install redis-server
+
+# 2. Configure master node (52.1.0.9)
+# /etc/redis/redis.conf
+```
+
+```conf
+bind 52.1.0.9
+port 6379
+dir /var/lib/redis
+maxmemory 3gb
+maxmemory-policy noeviction
+requirepass "your_redis_password"
+masterauth "your_redis_password"
+```
+
+3. Configure replica nodes (`52.1.0.10`, `52.1.0.11`):
+```conf
+bind 52.1.0.10  # Change for each replica
+port 6379
+dir /var/lib/redis
+replicaof 52.1.0.9 6379
+masterauth "your_redis_password"
+requirepass "your_redis_password"
+```
+
+4. Configure Sentinel nodes (`52.1.0.12`, `52.1.0.13`, `52.1.0.14`):
+```conf
+port 26379
+sentinel monitor mymaster 52.1.0.9 6379 2
+sentinel auth-pass mymaster "your_redis_password"
+sentinel down-after-milliseconds mymaster 5000
+sentinel failover-timeout mymaster 60000
+sentinel parallel-syncs mymaster 1
+```
+
+5. Recommended Additional Reading:
+   - [Redis High Availability Tools](https://redis.io/topics/high-availability)
+   - [Redis Sentinel Client Implementation](https://redis.io/topics/sentinel-clients)
+
+### 4. Configure HAProxy Load Balancer
+
+Install and configure HAProxy for internal load balancing:
+
+```conf ha-proxy-config
+global
+    maxconn 10000
+    log stdout format raw local0
+
+defaults
+    log global
+    mode tcp
+    retries 3
+    timeout client 30m
+    timeout connect 10s
+    timeout server 30m
+    timeout check 5s
+
+listen stats
+    mode http
+    bind *:7000
+    stats enable
+    stats uri /
+
+resolvers hostdns
+    nameserver dns 127.0.0.11:53
+    resolve_retries 3
+    timeout resolve 1s
+    timeout retry 1s
+    hold valid 5s
+
+frontend postgres_master
+    bind *:5000
+    default_backend postgres_master_backend
+
+frontend postgres_replicas
+    bind *:5001
+    default_backend postgres_replica_backend
+
+backend postgres_master_backend
+    option httpchk GET /master
+    http-check expect status 200
+    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
+    server postgres-1 52.1.0.6:5432 check port 8008
+    server postgres-2 52.1.0.7:5432 check port 8008
+    server postgres-3 52.1.0.8:5432 check port 8008
+
+backend postgres_replica_backend
+    option httpchk GET /replica
+    http-check expect status 200
+    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
+    server postgres-1 52.1.0.6:5432 check port 8008
+    server postgres-2 52.1.0.7:5432 check port 8008
+    server postgres-3 52.1.0.8:5432 check port 8008
+
+frontend redis_master_frontend
+    bind *:6379
+    default_backend redis_master_backend
+
+backend redis_master_backend
+    option tcp-check
+    tcp-check send AUTH\ 123456\r\n
+    tcp-check expect string +OK
+    tcp-check send PING\r\n
+    tcp-check expect string +PONG
+    tcp-check send info\ replication\r\n
+    tcp-check expect string role:master
+    tcp-check send QUIT\r\n
+    tcp-check expect string +OK
+    server redis-1 52.1.0.9:6379 check inter 1s
+    server redis-2 52.1.0.10:6379 check inter 1s
+    server redis-3 52.1.0.11:6379 check inter 1s
+
+frontend infisical_frontend
+    bind *:80
+    default_backend infisical_backend
+
+backend infisical_backend
+    option httpchk GET /api/status
+    http-check expect status 200
+    server infisical-1 52.1.0.15:8080 check inter 1s
+    server infisical-2 52.1.0.16:8080 check inter 1s
+    server infisical-3 52.1.0.17:8080 check inter 1s
+```
+
+### 5. Deploy Infisical Core
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+    First, add the Infisical repository:
+    ```bash
+    curl -1sLf \
+    'https://dl.cloudsmith.io/public/infisical/infisical-core/setup.deb.sh' \
+    | sudo -E bash
+    ```
+
+    Then install Infisical:
+    ```bash
+    sudo apt-get update && sudo apt-get install -y infisical-core
+    ```
+
+    <Info>
+      For production environments, we strongly recommend installing a specific version of the package to maintain consistency across reinstalls. View available versions at [Infisical Package Versions](https://cloudsmith.io/~infisical/repos/infisical-core/packages/).
+    </Info>
+  </Tab>
+
+  <Tab title="RedHat/CentOS/Amazon Linux">
+    First, add the Infisical repository:
+    ```bash
+    curl -1sLf \
+    'https://dl.cloudsmith.io/public/infisical/infisical-core/setup.rpm.sh' \
+    | sudo -E bash
+    ```
+
+    Then install Infisical:
+    ```bash
+    sudo yum install infisical-core
+    ```
+
+    <Info>
+      For production environments, we strongly recommend installing a specific version of the package to maintain consistency across reinstalls. View available versions at [Infisical Package Versions](https://cloudsmith.io/~infisical/repos/infisical-core/packages/).
+    </Info>
+
+  </Tab>
+</Tabs>
+
+Next, create configuration file `/etc/infisical/infisical.rb` with the following:
+
+```ruby
+infisical_core['ENCRYPTION_KEY'] = 'your-secure-encryption-key'
+infisical_core['AUTH_SECRET'] = 'your-secure-auth-secret'
+
+infisical_core['DB_CONNECTION_URI'] = 'postgres://user:pass@52.1.0.2:5000/infisical'
+infisical_core['REDIS_URL'] = 'redis://52.1.0.2:6379'
+
+infisical_core['PORT'] = 8080
+```
+
+To generate `ENCRYPTION_KEY` and `AUTH_SECRET` view the [following configurations documentation here](/self-hosting/configuration/envars).
+
+If you are using managed services for either Postgres or Redis, please replace the values of the secrets accordingly.
+
+
+Lastly, start and verify each node running infisical-core:
+```bash
+sudo infisical-ctl reconfigure
+sudo infisical-ctl status
+```
+
+## Monitoring and Maintenance
+
+1. Monitor HAProxy stats: `http://52.1.0.2:7000/haproxy?stats`
+2. Monitor Infisical logs: `sudo infisical-ctl tail`
+3. Check cluster health:
+   - Etcd: `etcdctl cluster-health`
+   - PostgreSQL: `patronictl list`
+   - Redis: `redis-cli info replication`

frontend/package-lock.json

@@ -10736,9 +10736,9 @@
       "dev": true
     },
     "node_modules/body-parser": {
-      "version": "1.20.2",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
-      "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==",
+      "version": "1.20.3",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz",
+      "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==",
       "dev": true,
       "dependencies": {
         "bytes": "3.1.2",
@@ -10749,7 +10749,7 @@
         "http-errors": "2.0.0",
         "iconv-lite": "0.4.24",
         "on-finished": "2.4.1",
-        "qs": "6.11.0",
+        "qs": "6.13.0",
         "raw-body": "2.5.2",
         "type-is": "~1.6.18",
         "unpipe": "1.0.0"
@@ -10774,21 +10774,6 @@
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
       "dev": true
     },
-    "node_modules/body-parser/node_modules/qs": {
-      "version": "6.11.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
-      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
-      "dev": true,
-      "dependencies": {
-        "side-channel": "^1.0.4"
-      },
-      "engines": {
-        "node": ">=0.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
     "node_modules/boolbase": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz",
@@ -11051,14 +11036,19 @@
       }
     },
     "node_modules/call-bind": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.5.tgz",
-      "integrity": "sha512-C3nQxfFZxFRVoJoGKKI8y3MOEo129NQ+FgQ08iye+Mk4zNZZGdjfs06bVTr+DBSlA66Q2VEcMki/cUCP4SercQ==",
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz",
+      "integrity": "sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==",
       "dev": true,
       "dependencies": {
+        "es-define-property": "^1.0.0",
+        "es-errors": "^1.3.0",
         "function-bind": "^1.1.2",
-        "get-intrinsic": "^1.2.1",
-        "set-function-length": "^1.1.1"
+        "get-intrinsic": "^1.2.4",
+        "set-function-length": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
       },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
@@ -11705,9 +11695,9 @@
       "integrity": "sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A=="
     },
     "node_modules/cookie": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
-      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+      "version": "0.7.1",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz",
+      "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==",
       "dev": true,
       "engines": {
         "node": ">= 0.6"
@@ -12416,17 +12406,20 @@
       }
     },
     "node_modules/define-data-property": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/define-data-property/-/define-data-property-1.1.1.tgz",
-      "integrity": "sha512-E7uGkTzkk1d0ByLeSc6ZsFS79Axg+m1P/VsgYsxHgiuc3tFSj+MjMIwe90FC4lOAZzNBdY7kkO2P2wKdsQ1vgQ==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/define-data-property/-/define-data-property-1.1.4.tgz",
+      "integrity": "sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A==",
       "dev": true,
       "dependencies": {
-        "get-intrinsic": "^1.2.1",
-        "gopd": "^1.0.1",
-        "has-property-descriptors": "^1.0.0"
+        "es-define-property": "^1.0.0",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.0.1"
       },
       "engines": {
         "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
       }
     },
     "node_modules/define-lazy-prop": {
@@ -13012,9 +13005,9 @@
       }
     },
     "node_modules/encodeurl": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
-      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
       "dev": true,
       "engines": {
         "node": ">= 0.8"
@@ -13173,6 +13166,27 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/es-define-property": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.0.tgz",
+      "integrity": "sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==",
+      "dev": true,
+      "dependencies": {
+        "get-intrinsic": "^1.2.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
     "node_modules/es-get-iterator": {
       "version": "1.1.3",
       "resolved": "https://registry.npmjs.org/es-get-iterator/-/es-get-iterator-1.1.3.tgz",
@@ -14105,37 +14119,37 @@
       }
     },
     "node_modules/express": {
-      "version": "4.19.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz",
-      "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==",
+      "version": "4.21.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
+      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
       "dev": true,
       "dependencies": {
         "accepts": "~1.3.8",
         "array-flatten": "1.1.1",
-        "body-parser": "1.20.2",
+        "body-parser": "1.20.3",
         "content-disposition": "0.5.4",
         "content-type": "~1.0.4",
-        "cookie": "0.6.0",
+        "cookie": "0.7.1",
         "cookie-signature": "1.0.6",
         "debug": "2.6.9",
         "depd": "2.0.0",
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
         "escape-html": "~1.0.3",
         "etag": "~1.8.1",
-        "finalhandler": "1.2.0",
+        "finalhandler": "1.3.1",
         "fresh": "0.5.2",
         "http-errors": "2.0.0",
-        "merge-descriptors": "1.0.1",
+        "merge-descriptors": "1.0.3",
         "methods": "~1.1.2",
         "on-finished": "2.4.1",
         "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.7",
+        "path-to-regexp": "0.1.10",
         "proxy-addr": "~2.0.7",
-        "qs": "6.11.0",
+        "qs": "6.13.0",
         "range-parser": "~1.2.1",
         "safe-buffer": "5.2.1",
-        "send": "0.18.0",
-        "serve-static": "1.15.0",
+        "send": "0.19.0",
+        "serve-static": "1.16.2",
         "setprototypeof": "1.2.0",
         "statuses": "2.0.1",
         "type-is": "~1.6.18",
@@ -14161,21 +14175,6 @@
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
       "dev": true
     },
-    "node_modules/express/node_modules/qs": {
-      "version": "6.11.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
-      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
-      "dev": true,
-      "dependencies": {
-        "side-channel": "^1.0.4"
-      },
-      "engines": {
-        "node": ">=0.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
     "node_modules/extend": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
@@ -14445,13 +14444,13 @@
       }
     },
     "node_modules/finalhandler": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz",
-      "integrity": "sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==",
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.1.tgz",
+      "integrity": "sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==",
       "dev": true,
       "dependencies": {
         "debug": "2.6.9",
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
         "escape-html": "~1.0.3",
         "on-finished": "2.4.1",
         "parseurl": "~1.3.3",
@@ -14945,16 +14944,20 @@
       }
     },
     "node_modules/get-intrinsic": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.2.tgz",
-      "integrity": "sha512-0gSo4ml/0j98Y3lngkFEot/zhiCeWsbYIlZ+uZOVgzLyLaUw7wxUL+nCTP0XJvJg1AXulJRI3UJi8GsbDuxdGA==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz",
+      "integrity": "sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==",
       "dev": true,
       "dependencies": {
+        "es-errors": "^1.3.0",
         "function-bind": "^1.1.2",
         "has-proto": "^1.0.1",
         "has-symbols": "^1.0.3",
         "hasown": "^2.0.0"
       },
+      "engines": {
+        "node": ">= 0.4"
+      },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
       }
@@ -15376,12 +15379,12 @@
       }
     },
     "node_modules/has-property-descriptors": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.1.tgz",
-      "integrity": "sha512-VsX8eaIewvas0xnvinAe9bw4WfIeODpGYikiWYLH+dma0Jw6KHYqWiWfhQlgOVK8D6PvjubK5Uc4P0iIhIcNVg==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz",
+      "integrity": "sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg==",
       "dev": true,
       "dependencies": {
-        "get-intrinsic": "^1.2.2"
+        "es-define-property": "^1.0.0"
       },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
@@ -17733,10 +17736,13 @@
       }
     },
     "node_modules/merge-descriptors": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
-      "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w==",
-      "dev": true
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
+      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
     },
     "node_modules/merge-stream": {
       "version": "2.0.0",
@@ -19493,9 +19499,9 @@
       }
     },
     "node_modules/path-to-regexp": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
-      "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==",
+      "version": "0.1.10",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
+      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
       "dev": true
     },
     "node_modules/path-type": {
@@ -20545,12 +20551,12 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.11.2",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.2.tgz",
-      "integrity": "sha512-tDNIz22aBzCDxLtVH++VnTfzxlfeK5CbqohpSqpJgj1Wg/cQbStNAz3NuqCs5vV+pjBsK4x4pN9HlVh7rcYRiA==",
+      "version": "6.13.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz",
+      "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==",
       "dev": true,
       "dependencies": {
-        "side-channel": "^1.0.4"
+        "side-channel": "^1.0.6"
       },
       "engines": {
         "node": ">=0.6"
@@ -22237,9 +22243,9 @@
       }
     },
     "node_modules/send": {
-      "version": "0.18.0",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz",
-      "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==",
+      "version": "0.19.0",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz",
+      "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==",
       "dev": true,
       "dependencies": {
         "debug": "2.6.9",
@@ -22275,6 +22281,15 @@
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
       "dev": true
     },
+    "node_modules/send/node_modules/encodeurl": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
+      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/serialize-javascript": {
       "version": "6.0.2",
       "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz",
@@ -22285,15 +22300,15 @@
       }
     },
     "node_modules/serve-static": {
-      "version": "1.15.0",
-      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz",
-      "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==",
+      "version": "1.16.2",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz",
+      "integrity": "sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==",
       "dev": true,
       "dependencies": {
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
         "escape-html": "~1.0.3",
         "parseurl": "~1.3.3",
-        "send": "0.18.0"
+        "send": "0.19.0"
       },
       "engines": {
         "node": ">= 0.8.0"
@@ -22305,16 +22320,17 @@
       "integrity": "sha512-RVnVQxTXuerk653XfuliOxBP81Sf0+qfQE73LIYKcyMYHG94AuH0kgrQpRDuTZnSmjpysHmzxJXKNfa6PjFhyQ=="
     },
     "node_modules/set-function-length": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.0.tgz",
-      "integrity": "sha512-4DBHDoyHlM1IRPGYcoxexgh67y4ueR53FKV1yyxwFMY7aCqcN/38M1+SwZ/qJQ8iLv7+ck385ot4CcisOAPT9w==",
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz",
+      "integrity": "sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==",
       "dev": true,
       "dependencies": {
-        "define-data-property": "^1.1.1",
+        "define-data-property": "^1.1.4",
+        "es-errors": "^1.3.0",
         "function-bind": "^1.1.2",
-        "get-intrinsic": "^1.2.2",
+        "get-intrinsic": "^1.2.4",
         "gopd": "^1.0.1",
-        "has-property-descriptors": "^1.0.1"
+        "has-property-descriptors": "^1.0.2"
       },
       "engines": {
         "node": ">= 0.4"
@@ -22466,14 +22482,18 @@
       }
     },
     "node_modules/side-channel": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.4.tgz",
-      "integrity": "sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==",
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz",
+      "integrity": "sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==",
       "dev": true,
       "dependencies": {
-        "call-bind": "^1.0.0",
-        "get-intrinsic": "^1.0.2",
-        "object-inspect": "^1.9.0"
+        "call-bind": "^1.0.7",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.4",
+        "object-inspect": "^1.13.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
       },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"

frontend/src/hooks/api/admin/index.ts

@@ -2,6 +2,12 @@ export {
   useAdminDeleteUser,
   useCreateAdminUser,
   useUpdateAdminSlackConfig,
-  useUpdateServerConfig
+  useUpdateServerConfig,
+  useUpdateServerEncryptionStrategy
 } from "./mutation";
-export { useAdminGetUsers, useGetAdminSlackConfig, useGetServerConfig } from "./queries";
+export {
+  useAdminGetUsers,
+  useGetAdminSlackConfig,
+  useGetServerConfig,
+  useGetServerRootKmsEncryptionDetails
+} from "./queries";

frontend/src/hooks/api/admin/mutation.ts

@@ -7,6 +7,7 @@ import { User } from "../users/types";
 import { adminQueryKeys, adminStandaloneKeys } from "./queries";
 import {
   AdminSlackConfig,
+  RootKeyEncryptionStrategy,
   TCreateAdminUserDTO,
   TServerConfig,
   TUpdateAdminSlackConfigDTO
@@ -85,3 +86,15 @@ export const useUpdateAdminSlackConfig = () => {
     }
   });
 };
+
+export const useUpdateServerEncryptionStrategy = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async (strategy: RootKeyEncryptionStrategy) => {
+      await apiRequest.patch("/api/v1/admin/encryption-strategies", { strategy });
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries(adminQueryKeys.getServerEncryptionStrategies());
+    }
+  });
+};

frontend/src/hooks/api/admin/queries.ts

@@ -3,7 +3,12 @@ import { useInfiniteQuery, useQuery, UseQueryOptions } from "@tanstack/react-que
 import { apiRequest } from "@app/config/request";
 
 import { User } from "../types";
-import { AdminGetUsersFilters, AdminSlackConfig, TServerConfig } from "./types";
+import {
+  AdminGetUsersFilters,
+  AdminSlackConfig,
+  TGetServerRootKmsEncryptionDetails,
+  TServerConfig
+} from "./types";
 
 export const adminStandaloneKeys = {
   getUsers: "get-users"
@@ -12,7 +17,8 @@ export const adminStandaloneKeys = {
 export const adminQueryKeys = {
   serverConfig: () => ["server-config"] as const,
   getUsers: (filters: AdminGetUsersFilters) => [adminStandaloneKeys.getUsers, { filters }] as const,
-  getAdminSlackConfig: () => ["admin-slack-config"] as const
+  getAdminSlackConfig: () => ["admin-slack-config"] as const,
+  getServerEncryptionStrategies: () => ["server-encryption-strategies"] as const
 };
 
 const fetchServerConfig = async () => {
@@ -61,8 +67,8 @@ export const useAdminGetUsers = (filters: AdminGetUsersFilters) => {
   });
 };
 
-export const useGetAdminSlackConfig = () =>
-  useQuery({
+export const useGetAdminSlackConfig = () => {
+  return useQuery({
     queryKey: adminQueryKeys.getAdminSlackConfig(),
     queryFn: async () => {
       const { data } = await apiRequest.get<AdminSlackConfig>(
@@ -72,3 +78,17 @@ export const useGetAdminSlackConfig = () =>
       return data;
     }
   });
+};
+
+export const useGetServerRootKmsEncryptionDetails = () => {
+  return useQuery({
+    queryKey: adminQueryKeys.getServerEncryptionStrategies(),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TGetServerRootKmsEncryptionDetails>(
+        "/api/v1/admin/encryption-strategies"
+      );
+
+      return data;
+    }
+  });
+};

frontend/src/hooks/api/admin/types.ts

@@ -54,3 +54,15 @@ export type AdminSlackConfig = {
   clientId: string;
   clientSecret: string;
 };
+
+export type TGetServerRootKmsEncryptionDetails = {
+  strategies: {
+    strategy: RootKeyEncryptionStrategy;
+    enabled: boolean;
+  }[];
+};
+
+export enum RootKeyEncryptionStrategy {
+  Software = "SOFTWARE",
+  HSM = "HSM"
+}

frontend/src/hooks/api/subscriptions/types.ts

@@ -23,6 +23,7 @@ export type SubscriptionPlan = {
   workspacesUsed: number;
   environmentLimit: number;
   samlSSO: boolean;
+  hsm: boolean;
   oidcSSO: boolean;
   scim: boolean;
   ldap: boolean;

frontend/src/views/admin/DashboardPage/DashboardPage.tsx

@@ -22,15 +22,21 @@ import {
   Tabs
 } from "@app/components/v2";
 import { useOrganization, useServerConfig, useUser } from "@app/context";
-import { useGetOrganizations, useUpdateServerConfig } from "@app/hooks/api";
+import {
+  useGetOrganizations,
+  useGetServerRootKmsEncryptionDetails,
+  useUpdateServerConfig
+} from "@app/hooks/api";
 
 import { AuthPanel } from "./AuthPanel";
+import { EncryptionPanel } from "./EncryptionPanel";
 import { IntegrationPanel } from "./IntegrationPanel";
 import { RateLimitPanel } from "./RateLimitPanel";
 import { UserPanel } from "./UserPanel";
 
 enum TabSections {
   Settings = "settings",
+  Encryption = "encryption",
   Auth = "auth",
   RateLimit = "rate-limit",
   Integrations = "integrations",
@@ -55,6 +61,7 @@ type TDashboardForm = z.infer<typeof formSchema>;
 export const AdminDashboardPage = () => {
   const router = useRouter();
   const data = useServerConfig();
+  const { data: serverRootKmsDetails } = useGetServerRootKmsEncryptionDetails();
   const { config } = data;
 
   const {
@@ -137,6 +144,7 @@ export const AdminDashboardPage = () => {
             <TabList>
               <div className="flex w-full flex-row border-b border-mineshaft-600">
                 <Tab value={TabSections.Settings}>General</Tab>
+                <Tab value={TabSections.Encryption}>Encryption</Tab>
                 <Tab value={TabSections.Auth}>Authentication</Tab>
                 <Tab value={TabSections.RateLimit}>Rate Limit</Tab>
                 <Tab value={TabSections.Integrations}>Integrations</Tab>
@@ -321,6 +329,9 @@ export const AdminDashboardPage = () => {
                 </Button>
               </form>
             </TabPanel>
+            <TabPanel value={TabSections.Encryption}>
+              <EncryptionPanel rootKmsDetails={serverRootKmsDetails} />
+            </TabPanel>
             <TabPanel value={TabSections.Auth}>
               <AuthPanel />
             </TabPanel>

frontend/src/views/admin/DashboardPage/EncryptionPanel.tsx

@@ -0,0 +1,137 @@
+import { useCallback } from "react";
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, Select, SelectItem, UpgradePlanModal } from "@app/components/v2";
+import { useSubscription } from "@app/context";
+import { usePopUp } from "@app/hooks";
+import { useUpdateServerEncryptionStrategy } from "@app/hooks/api";
+import {
+  RootKeyEncryptionStrategy,
+  TGetServerRootKmsEncryptionDetails
+} from "@app/hooks/api/admin/types";
+
+const formSchema = z.object({
+  encryptionStrategy: z.nativeEnum(RootKeyEncryptionStrategy)
+});
+
+const strategies: Record<RootKeyEncryptionStrategy, string> = {
+  [RootKeyEncryptionStrategy.Software]: "Software-based Encryption",
+  [RootKeyEncryptionStrategy.HSM]: "Hardware Security Module (HSM)"
+};
+
+type TForm = z.infer<typeof formSchema>;
+
+type Props = {
+  rootKmsDetails?: TGetServerRootKmsEncryptionDetails;
+};
+
+export const EncryptionPanel = ({ rootKmsDetails }: Props) => {
+  const { mutateAsync: updateEncryptionStrategy } = useUpdateServerEncryptionStrategy();
+  const { subscription } = useSubscription();
+
+  const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp(["upgradePlan"] as const);
+
+  const {
+    control,
+    handleSubmit,
+    formState: { isSubmitting, isDirty }
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema),
+    values: {
+      encryptionStrategy:
+        rootKmsDetails?.strategies?.find((s) => s.enabled)?.strategy ??
+        RootKeyEncryptionStrategy.Software
+    }
+  });
+
+  const onSubmit = useCallback(async (formData: TForm) => {
+    if (!subscription) return;
+
+    if (!subscription.hsm) {
+      handlePopUpOpen("upgradePlan", {
+        description: "Hardware Security Module's (HSM's), are only available on Enterprise plans."
+      });
+      return;
+    }
+
+    try {
+      await updateEncryptionStrategy(formData.encryptionStrategy);
+
+      createNotification({
+        type: "success",
+        text: "Encryption strategy updated successfully"
+      });
+    } catch {
+      createNotification({
+        type: "error",
+        text: "Failed to update encryption strategy"
+      });
+    }
+  }, []);
+
+  return (
+    <>
+      <form
+        className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4"
+        onSubmit={handleSubmit(onSubmit)}
+      >
+        <div className="flex flex-col justify-start">
+          <div className="flex w-full justify-between">
+            <div className="mb-2 text-xl font-semibold text-mineshaft-100">
+              KMS Encryption Strategy
+            </div>
+          </div>
+          <div className="mb-4 max-w-sm text-sm text-mineshaft-400">
+            Select which type of encryption strategy you want to use for your KMS root key. HSM is
+            supported on Enterprise plans.
+          </div>
+
+          {!!rootKmsDetails && (
+            <Controller
+              control={control}
+              name="encryptionStrategy"
+              render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+                <FormControl
+                  className="max-w-sm"
+                  errorText={error?.message}
+                  isError={Boolean(error)}
+                >
+                  <Select
+                    className="w-full bg-mineshaft-700"
+                    dropdownContainerClassName="bg-mineshaft-800"
+                    defaultValue={field.value}
+                    onValueChange={(e) => onChange(e)}
+                    {...field}
+                  >
+                    {rootKmsDetails.strategies?.map((strategy) => (
+                      <SelectItem key={strategy.strategy} value={strategy.strategy}>
+                        {strategies[strategy.strategy]}
+                      </SelectItem>
+                    ))}
+                  </Select>
+                </FormControl>
+              )}
+            />
+          )}
+        </div>
+
+        <Button
+          className="mt-2"
+          type="submit"
+          isLoading={isSubmitting}
+          isDisabled={isSubmitting || !isDirty}
+        >
+          Save
+        </Button>
+      </form>
+      <UpgradePlanModal
+        isOpen={popUp.upgradePlan.isOpen}
+        onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
+        text={(popUp.upgradePlan?.data as { description: string })?.description}
+      />
+    </>
+  );
+};

package-lock.json

@@ -7,7 +7,8 @@
 			"name": "infisical",
 			"license": "ISC",
 			"dependencies": {
-				"@radix-ui/react-radio-group": "^1.1.3"
+				"@radix-ui/react-radio-group": "^1.1.3",
+				"secrets.js-grempe": "^2.0.0"
 			},
 			"devDependencies": {
 				"@types/uuid": "^9.0.7",
@@ -1392,6 +1393,12 @@
 				"loose-envify": "^1.1.0"
 			}
 		},
+		"node_modules/secrets.js-grempe": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/secrets.js-grempe/-/secrets.js-grempe-2.0.0.tgz",
+			"integrity": "sha512-4xkOIaDAg998dTFXZUJTOoVbdLHfB818SMeLJ69ABccgGEKokxsoRFupAFfAImloUSKv4QUGNMgKVbKMf6z0Ug==",
+			"license": "MIT"
+		},
 		"node_modules/shebang-command": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
@@ -2457,6 +2464,11 @@
 				"loose-envify": "^1.1.0"
 			}
 		},
+		"secrets.js-grempe": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/secrets.js-grempe/-/secrets.js-grempe-2.0.0.tgz",
+			"integrity": "sha512-4xkOIaDAg998dTFXZUJTOoVbdLHfB818SMeLJ69ABccgGEKokxsoRFupAFfAImloUSKv4QUGNMgKVbKMf6z0Ug=="
+		},
 		"shebang-command": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",

package.json

@@ -24,6 +24,7 @@
 		"husky": "^8.0.3"
 	},
 	"dependencies": {
-		"@radix-ui/react-radio-group": "^1.1.3"
+		"@radix-ui/react-radio-group": "^1.1.3",
+		"secrets.js-grempe": "^2.0.0"
 	}
 }