For the basic docker run command and first-time setup, see Installation. This page covers Docker-specific configuration, Compose, and image details.
Build from source
This runs a multi-stage build:
node:22-alpine — builds the React/Vite frontendgolang:1.25-alpine — compiles the Go binary with the embedded frontendalpine:3.21 — minimal runtime image
The final image runs as non-root user agentvault (UID 65532) and includes a built-in health check at GET /health.
Configuration
Pass the master password via environment variable to wrap the data encryption key (DEK):
docker run -it -p 14321:14321 \
-v agent-vault-data:/data \
-e AGENT_VAULT_MASTER_PASSWORD=your-password \
-e AGENT_VAULT_ADDR=https://agent-vault.example.com \
infisical/agent-vault
AGENT_VAULT_MASTER_PASSWORD for passwordless mode — the DEK is stored unwrapped, relying on volume access controls for security.
| Variable | Required | Description |
|---|
AGENT_VAULT_MASTER_PASSWORD | No | Derives a KEK that wraps the data encryption key. If omitted, runs in passwordless mode. |
AGENT_VAULT_ADDR | Recommended | Externally-reachable base URL. Defaults to http://localhost:14321. Used for generating links in emails, invites, and discovery responses. |
Never put AGENT_VAULT_MASTER_PASSWORD in your Dockerfile or a committed .env file. Use Docker secrets or your orchestrator’s secret management instead.
Agent Vault supports additional configuration for SMTP email notifications, Google OAuth, domain restrictions, and more. See Environment variables for the full reference. Docker Compose
services:
agent-vault:
image: infisical/agent-vault
ports:
- "14321:14321"
volumes:
- agent-vault-data:/data
environment:
- AGENT_VAULT_MASTER_PASSWORD=${AGENT_VAULT_MASTER_PASSWORD}
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:14321/health"]
interval: 30s
timeout: 5s
retries: 3
volumes:
agent-vault-data:
export AGENT_VAULT_MASTER_PASSWORD=your-password
docker compose up -d
The health check uses wget because the minimal Alpine image does not include curl. If you swap to a different base image, adjust accordingly.
Volume and persistence
All state lives in a single SQLite database at /data/.agent-vault/agent-vault.db. The Docker image declares VOLUME /data, so data survives container restarts as long as you mount a named volume or host path.
Changing the master password re-wraps the data encryption key without re-encrypting credentials. Use agent-vault master-password change while the server is stopped.