Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Sadia_A1P
1Password Team
1Password TeamIntroducing new .env file support in 1Password
Today, we’re introducing a first-of-its-kind feature available in the 1Password Desktop app.
With the new local .env file destination in 1Password Environments, you can securely use and share .env ...
This is an amazing feature so far, thanks to everyone who made this a reality 👏 !
Here is my feedback.
- it should be able to pull secrets using secret references from the vault (eg op://something-prod/github-client-id/credential)
- all my projects now have to live in environments without any sorting capability
- I was using separate vaults before to separate projects
- the mounted `.env` file is generated but probably should have
- env it was loaded from
- timestamp when it was updated
- any other relevant metadata that I am not aware of
- offline access now solves this one i've requested in the past!
- regarding git, it's probably worth mentioning that they won't be seen because git doesn't support named pipes in the docs
- locking of your vault and the env file getting removed from disk is just chefs kiss
- future looking but if you could support "stages" in environments like alpha/beta/prod (make prod scary and red 😂)
Simple demo I spun up for this! 🫶
- sid
Hey seanboult,
Thank you for sharing your feedback! Glad to hear your enjoying the feature!
I'll pass your notes along to the team, and the good news is that many of these ideas are already on our radar as next-step improvements.
I did have a couple of quick follow-ups to better understand your suggestions:
The mounted .env file is generated but probably should have
- env it was loaded from
- timestamp when it was updated
- any other relevant metadata that I am not aware of
Where would you expect to see this information? Were you thinking it should appear as commented lines within the generated .env file, or surfaced somewhere in the app interface instead?
regarding git, it's probably worth mentioning that they won't be seen because git doesn't support named pipes in the docs
Good point! We do actually mention in the docs you've linked that this file will not be tracked by Git. Were you perhaps referring to some sort of message within the 1Password Desktop app itself?
locking of your vault and the env file getting removed from disk is just chefs kiss
Just to clarify, locking 1Password shouldn’t remove the local .env file. The file remains available while 1Password is locked (you’ll just be prompted to authorize reads). It’s only cleaned up when you quit 1Password, delete or disable the destination, or delete the environment itself.
Where would you expect to see this information? Were you thinking it should appear as commented lines within the generated .env file, or surfaced somewhere in the app interface instead?
Would make sense to generate the metadata and embed it as a comment header in the env file.
Good point! We do actually mention in the docs you've linked that this file will not be tracked by Git. Were you perhaps referring to some sort of message within the 1Password Desktop app itself?
I just mean that by default git wont be able to track named pipes and calling that out here could help remove ambiguity here as to why.
"Although 1Password creates this file on your device, locally mounted .env files aren't tracked by Git and therefore your secrets aren't exposed by your version control system"Just to clarify, locking 1Password shouldn’t remove the local .env file. The file remains available while 1Password is locked (you’ll just be prompted to authorize reads). It’s only cleaned up when you quit 1Password, delete or disable the destination, or delete the environment itself.
Wow I must have seen some bug or something but swear I saw it disappear in the VSCode file tree when I locked my 1password.
Perhaps this is a feature request but really if you lock your 1password it will require another auth to get the contents visible again.- sid
Perhaps this is a feature request but really if you lock your 1password it will require another auth to get the contents visible again.
Ya that’s right. This behaviour follows our security model and is an intentional requirement. We need your authorization to decrypt the contents of your Environment.
Once you approve access, you won’t be prompted again until 1Password locks. We keep the .env file in place even while 1Password is locked, since the locking of 1Password can happen automatically after a short period of inactivity (which users can configure). This ensures the .env files don’t disappear mid-development, unless you quit 1Password, delete the environment, or disable the destination.
