Today, we’re introducing a first-of-its-kind feature available in the 1Password Desktop app. With the new local .env file destination in 1Password Environments, you can securely use and share .env files across your team, without rewriting how your app loads credentials. Here’s why it matters: Zero plaintext secrets on disk: Secrets are loaded into applications on demand. You can’t accidentally commit them. No cumbersome sharing of secrets: Teammates get instant access - no DMs or copying secrets. Built for teams: Version history, access control, and automatic updates - all in one place. Offline access: No more internet connection required to load secrets from 1Password. Secrets are sourced directly from the desktop app's local cache. Now available in beta on Mac and Linux. Interested to see it in action? Watch the demo video below. Video not displaying? Watch it here. 💬 Share feedback, get swag We want your input on what to build next: CI/CD integrations? Docker support? Something else? 📖 Read the docs to get started 👉 Join the discussion in the 1Password Developer Community 🧢 The first 10 developers to start a discussion on the 1Password Developer Community Hub to share feedback by October 31st will get exclusive 1Password swag. Be sure to tag your post with beta-environments.

Nice feature! It would be even smoother if it supported pasting template files that include 1Password Secret References like:SAMPLE_ENV_VARIABLE="op://sample-vault/sample_item/sample-field"and have them automatically resolved. I know I can manually create a .env file with the resolved values, but having this built-in would make the experience even better. Great work!

ok thanks, we'll test and let you know! It should be an easy update on our end

This is great! If you have docs on library compatibility we're happy to make varlock.dev work with this!

confirmed that it works with varlock.dev, it will load the your `.env.*` files in as overrides and validate it with our `.env.schema`. So a sample integration would like something like this: - 1Pass Env local file destination: `.env.local`- `.env.schema` checked into source control

This is an amazing feature so far, thanks to everyone who made this a reality 👏 ! Here is my feedback.it should be able to pull secrets using secret references from the vault (eg op://something-prod/github-client-id/credential)all my projects now have to live in environments without any sorting capabilityI was using separate vaults before to separate projects the mounted `.env` file is generated but probably should haveenv it was loaded fromtimestamp when it was updatedany other relevant metadata that I am not aware ofoffline access now solves this one i've requested in the past!regarding git, it's probably worth mentioning that they won't be seen because git doesn't support named pipes in the docslocking of your vault and the env file getting removed from disk is just chefs kissfuture looking but if you could support "stages" in environments like alpha/beta/prod (make prod scary and red 😂) Simple demo I spun up for this! 🫶

Introducing new .env file support in 1Password

16 Replies

Pete27
New Contributor
21 days ago
Any news on when local .env files will be available on Windows. Feeling a little left behind...
seanboult
Occasional Contributor
28 days ago
This is an amazing feature so far, thanks to everyone who made this a reality 👏 !

Here is my feedback.
it should be able to pull secrets using secret references from the vault (eg op://something-prod/github-client-id/credential)
all my projects now have to live in environments without any sorting capability
I was using separate vaults before to separate projects
the mounted `.env` file is generated but probably should have
env it was loaded from
timestamp when it was updated
any other relevant metadata that I am not aware of
offline access now solves this one i've requested in the past!
regarding git, it's probably worth mentioning that they won't be seen because git doesn't support named pipes in the docs
locking of your vault and the env file getting removed from disk is just chefs kiss
future looking but if you could support "stages" in environments like alpha/beta/prod (make prod scary and red 😂)

Simple demo I spun up for this! 🫶
- sid
  1Password Team
  28 days ago
  Hey seanboult,
  Thank you for sharing your feedback! Glad to hear your enjoying the feature!
  I'll pass your notes along to the team, and the good news is that many of these ideas are already on our radar as next-step improvements.
  I did have a couple of quick follow-ups to better understand your suggestions:
  The mounted .env file is generated but probably should have
  env it was loaded from
  timestamp when it was updated
  any other relevant metadata that I am not aware of
  Where would you expect to see this information? Were you thinking it should appear as commented lines within the generated .env file, or surfaced somewhere in the app interface instead?
  regarding git, it's probably worth mentioning that they won't be seen because git doesn't support named pipes in the docs
  Good point! We do actually mention in the docs you've linked that this file will not be tracked by Git. Were you perhaps referring to some sort of message within the 1Password Desktop app itself?
  locking of your vault and the env file getting removed from disk is just chefs kiss
  Just to clarify, locking 1Password shouldn’t remove the local .env file. The file remains available while 1Password is locked (you’ll just be prompted to authorize reads). It’s only cleaned up when you quit 1Password, delete or disable the destination, or delete the environment itself.
  - seanboult
    Occasional Contributor
    27 days ago
    Where would you expect to see this information? Were you thinking it should appear as commented lines within the generated .env file, or surfaced somewhere in the app interface instead?
    Would make sense to generate the metadata and embed it as a comment header in the env file.
    Good point! We do actually mention in the docs you've linked that this file will not be tracked by Git. Were you perhaps referring to some sort of message within the 1Password Desktop app itself?
    I just mean that by default git wont be able to track named pipes and calling that out here could help remove ambiguity here as to why.
    
    "Although 1Password creates this file on your device, locally mounted .env files aren't tracked by Git and therefore your secrets aren't exposed by your version control system"
    Just to clarify, locking 1Password shouldn’t remove the local .env file. The file remains available while 1Password is locked (you’ll just be prompted to authorize reads). It’s only cleaned up when you quit 1Password, delete or disable the destination, or delete the environment itself.
    Wow I must have seen some bug or something but swear I saw it disappear in the VSCode file tree when I locked my 1password.
    
    Perhaps this is a feature request but really if you lock your 1password it will require another auth to get the contents visible again.
benemanu
New Contributor
2 months ago
Nice feature! It would be even smoother if it supported pasting template files that include 1Password Secret References like:
SAMPLE_ENV_VARIABLE="op://sample-vault/sample_item/sample-field"
and have them automatically resolved. I know I can manually create a .env file with the resolved values, but having this built-in would make the experience even better. Great work!
- seanboult
  Occasional Contributor
  28 days ago
  I came here to leave the same feedback 😂
- jd-sb-dev
  New Contributor
  28 days ago
  This!!
  I came here to specifically request this (or something like it). I want to link environment values to secrets in existing items.
davidhayes
New Contributor
2 months ago
This is awesome, will it be coming to Windows as well?
ar4743
New Contributor
2 months ago
I would like to have better integration with terraform, I can't get it to work. And also you support SSH keys, but not GPG keys. I'm storing them now as text.
phildmno
Occasional Contributor
2 months ago
This is great! If you have docs on library compatibility we're happy to make varlock.dev work with this!
- 1P_Phil
  Moderator
  2 months ago
  Hi phildmno ,
  
  We have docs on which libraries we have tested (link), nothing specific for library creators (at the moment, but I can get that requested), good call!
  
  If you open the file pipe and read out the content line by line into environment variables you should be good to go.
  
  Thanks!
  Phil & Team
  - phildmno
    Occasional Contributor
    2 months ago
    ok thanks, we'll test and let you know! It should be an easy update on our end
1P_Phil
Moderator
2 months ago
All,

This one is super rad, I've been working with this feature over the past few months and it really has helped my workflow. I was able to drop my reliance on ".gitignore" skipping my ".env" files and relax a little bit.

Then when I accidentally share my API key on a live stream, I just get a new one, update it in 1Password and I'm good to go. No more do I have to "find & replace" to get things updated, or remember what script is setting some random ENV variable. It is now all in one place.

High-five 🙌 to the team on this release!

We are super excited to see how you use this and how it helps out with your workflows. Here is a quick gif of what to look for in 1Password.

Forum Discussion

Introducing new .env file support in 1Password

16 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

Local .env file option not available

Scannable TOTP?

Customizing the suggested title when saving new password

Support for SSH Certificates (2024)

Frustrations with .env File Handling and Environments in 1Password