Our community is getting an upgrade on July 2nd! Learn more in the FAQs →
Forum Discussion
Sadia_A1P
1Password Team
1Password TeamIntroducing new .env file support in 1Password
Today, we’re introducing a first-of-its-kind feature available in the 1Password Desktop app.
With the new local .env file destination in 1Password Environments, you can securely use and share .env files across your team, without rewriting how your app loads credentials.
Here’s why it matters:
- Zero plaintext secrets on disk: Secrets are loaded into applications on demand. You can’t accidentally commit them.
- No cumbersome sharing of secrets: Teammates get instant access - no DMs or copying secrets.
- Built for teams: Version history, access control, and automatic updates - all in one place.
- Offline access: No more internet connection required to load secrets from 1Password. Secrets are sourced directly from the desktop app's local cache.
Now available in beta on Mac and Linux. Interested to see it in action? Watch the demo video below.
Video not displaying? Watch it here.
💬 Share feedback, get swag
We want your input on what to build next: CI/CD integrations? Docker support? Something else?
📖 Read the docs to get started
👉 Join the discussion in the 1Password Developer Community
🧢 The first 10 developers to start a discussion on the 1Password Developer Community Hub to share feedback by October 31st will get exclusive 1Password swag. Be sure to tag your post with beta-environments.
32 Replies
Went to setup 1Password Environments only to realize I cannot share environments with groups :-(.
If it was "built for teams", how are we supposed to share environments across a team? Individual sharing doesn't scale and is difficult to manage.
I would like to have this feature on Windows.
Great feature. Would love to see support for Docker (compose)!
Any plans on adding "Offline mode" to the CLI?
`op run` is still going down with 1Password outages as demonstrated today. This is like the 4th or 5th time I've been locked out of my env variables with 1Password due to an outage. As a dev, it's become a bit of a liability.
I've been using this feature since its launch, and it is like a dream coming true. I'm hoping for great new improvements on that.
Not having any secrets in plain text on my storage and principally not having to change each project/service to integrate with 1Password (like using packages or plugins) is just great.
Here are my wishes:
- Reference existing 1Password items so they won't be duplicated inside 1Passport (TOKEN="{{op://vault/service/token}}").
- Reference other variables (U="user", P="password", DB="url://$U:$P").
- Sorting the environment variables (alphabetically, manually).
- Option to make the mount file read-only.
- Support for project environments (like production, staging, dev, …) so a variable can inherit its value from other environments (see Infisical ;).
- Better "project/environments" organization (folders, tags, sorting, description, …).
- Ability to programmatically specify and mount the file destinations locally.
- CLI full management.
- Use/select templates for the mounting files.
Great job!Echoing:
- Sorting the environment variables alphabetically --> annoyance when you have a large list of environments across the team
This is excellent. Thank you for the new feature! Sharing Dotenv in the team over our file server is ending.
For production we still need Dotenv files on the website projects’ webservers. It would be great to have an export button that writes a file to a given destination. Otherwise we still need to keep a copy.
You can use varlock in production (https://varlock.dev/plugins/1password/#loading-1password-environments ) or any server/service that doesn't currently have a destination and that way you're not writing plaintext env files on your servers either!
Liking this feature so far! Could you please add the ability to sort the environment names alphabetically (and leave sorting on by default)? I'd also like the ability to programmatically specify and mount the .env destinations locally, so we can save engineers some time setting up the project.
I like this beta feature, but the Microsoft Python extensions in vscode don't seem to play nicely with it. If the extensions are enabled, they keep trying to access the .env file and take a long time to load. If I cancel authentication to 1password, it asks to authenticate 2 more times after that (3 times total, perhaps once per extension?). After cancelling authentication 3 times, everything loads. If I were to auth, it takes many minutes for extensions to finish loading.
After it all loads, I can run the python script, auth 1password 1 time to unlock it, and it runs as expected with a short delay.
The Pylance by MS extension works fine, but the Python, Python Environments, and Python Debugger extensions by MS seem to cause the issue.
I wonder if anyone knows how to work around this?
Great feature, however I encountered some issues when trying to make use of it:
- There is currently no feature to reference existing 1Password items, which means I have to maintain stuff like tokens, passphrases etc. in two places when using the Environments feature.
- It would be great to support actually setting the environment variables - for example, for usage in Terraform variables. As a workaround, I tried to use `direnv` (on macOS) - but it does not recognize the 'file' created by 1Password, even when mounted/decrypted:# When in folder with .envrc created/mounted by 1Password: > direnv allow . direnv: error .envrc file not found- Another improvement would be to add another mounting option 'Terraform variable' which creates a `.tfvars` file at the desired location, and prefixes the variables with `TF_VAR` - this would cover a common use case and also remove the need for creating separate variables with that prefix.
But great idea with lots of potential!I also use `direnv` on macOS, and it works great with this 1Password feature. But there is a change you need to do to make it work.
The `dotenv` and `dotenv_if_exists` methods (on https://github.com/direnv/direnv/blob/02040c767ba64b32a9b5ef2d8d2e00983d6bc958/stdlib.sh#L230-L265) use `[[ -f $path ]]` to check for the file's existence. It won't work on named pipes (used by .env files). So, we need to change to `[[ -f $path || -p $path ]]` to check for both of them.
While it is not officially fixed, you can make a local fix by overwriting the methods.
Create a file `~/.config/direnv/lib/polyfills.sh` with:
#!/usr/bin/env bash # @see https://github.com/direnv/direnv/blob/02040c767ba64b32a9b5ef2d8d2e00983d6bc958/stdlib.sh#L230-L265 # unset -f dotenv dotenv_if_exists # Usage: dotenv [<dotenv>] # # Loads a ".env" file into the current environment # dotenv() { local path=${1:-} if [[ -z $path ]]; then path=$PWD/.env elif [[ -d $path ]]; then path=$path/.env fi if [[ -f "$path" ]]; then watch_file "$path" fi if ! [[ -f "$path" || -p "$path" ]]; then log_error ".env at $path not found" return 1 fi eval "$("$direnv" dotenv bash "$@")" } # Usage: dotenv_if_exists [<filename>] # # Loads a ".env" file into the current environment, but only if it exists. # dotenv_if_exists() { local path=${1:-} if [[ -z $path ]]; then path=$PWD/.env elif [[ -d $path ]]; then path=$path/.env fi if [[ -f "$path" ]]; then watch_file "$path" fi if ! [[ -f "$path" || -p "$path" ]]; then return fi eval "$("$direnv" dotenv bash "$@")" }I hope it works there too.
If I do `export $(cat .envrc | xargs)` it works... half of the time - not sure why. But that's a cumbersome extra step anyways.
Any news on when local .env files will be available on Windows. Feeling a little left behind...
