Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Cannot find "Destinations" tab for mounting secrets to local .env files
I am trying to use the feature "Access secrets from 1Password through local .env files" but I cannot find the "Destinations" tab. What I have done: Enabled "Show 1Password Developer experience" in Settings > Developer Enabled "Record and display activity" I can see and use the AWS Secrets Manager integration What I expected: According to the documentation, there should be a "Destinations" tab that allows me to mount secrets to a local .env file. What I see: The "Destinations" tab does not appear anywhere in the interface. I only see the AWS Secrets Manager integration option. Environment: 1Password version: Latest OS: Windows Account type: Individual Could you please help me understand how to access the Destinations feature, or let me know if this feature has been moved or deprecated? Thank you.
1Password guest account for a dev machine?
Hello friends, I've been reading about the Shai-Hulud/Sha1-Hulud malware which is currently spreading through npm packages with its TruffleHog payload, and there are plenty of other examples of supply-chain attacks against developer tools. My 1Password has everything in it; stuff that I use for indie-development, and personal things like logins to my email and banking. So now I'm thinking about making a clear separation between my indie-dev machine and other boxes that I use for traditional home-computing. 1Password's guest accounts look ideal for this. I could make a guest account which only has access to that one vault, and use only that guest account on my dev machine. Luckily my indie-dev items are already in a separate vault. Would that work? Have I missed any gotchas? (And would this be compatible with 1Password's acceptable use-cases for guest accounts?) MatthewDid you know: Zscaler & 1Password are integrated?
On our Enterprise side of the business - 1Password now integrates with Zscaler (Zero Trust network access (ZTNA)) through 1Password Device Trust to ensure only secure, compliant devices can access company applications. This integration verifies that Zscaler Client Connector, ZIA, or ZPA is properly installed and running before granting SSO access. If a device fails the check, 1Password Device Trust provides dynamic remediation guidance to the end user to bring it into compliance. This approach enforces Zero Trust access, strengthens endpoint security, and reduces risk by blocking misconfigured or unsecured devices while guiding users to quickly self-remediate issues. Check out the announcement to learn more.Service Account Security (feature request)
I just started using service accounts, so forgive me if this has already been discussed. I did not find anything while searching the forum. A few things that would greatly improve the security of service accounts from the top of my head: IP-limits for access Alerts (watchtower?) for unauthorized access attempts I think there should be a way to limit service account access to only certain IP-addresses and environments. My proposal is a combination of pre-defined environments (maintained by 1Password) like AWS region XXX, AWS region YYY ... Lists publicly available here: https://ip-ranges.amazonaws.com/ip-ranges.json Github Actions, Github Copilot ... Lists publicly available here: https://api.github.com/meta Other relevant environments you can think of And one should obviously also be able to create private lists of IP-addresses/prefixes (both IPv4 and IPv6) that can be allowed to use a certain service account. This will seriously limit the amount of damage that can happen IF (when) a service account token is leaked somewhere. When this is in place, watchtower (or similar functionality) should be able to alert you if someone tries to use a service account from outside the limited environments where it is allowed to be used. That way, you will immediately be notified if a token might be compromised, and can rotate it. Of course, if you have limited a service account to only be used from a github action, and the evil hacker also uses a github action to access your secrets, you will not know - but that is no worse than the current situation. In best case, the evil perpetrator will test the token from an invalid location first, so you will be notified and can hopefully act before any other secret data has been compromised.OpenAI API Keys... Oh mai
Just a heads up, on Github, a crafty person created a query to find OpenAI API keys via search. I'm not going to link to it, but here are some resources if you fall into this camp! We have an entire blog post from 2023 about this topic https://blog.1password.com/openai-chatgpt-exposed-api-keys/ AI Agents + 1Password (Blog) https://developer.1password.com/docs/sdks/ai-agent CLI https://developer.1password.com/docs/cli/secret-references SDK (Python, Go & Typescript/JS) https://developer.1password.com/docs/sdks/load-secrets GitHub Actions with 1Password (hide API keys in CI/CD) https://developer.1password.com/docs/ci-cd/github-actionsopenv – A simple CLI tool to wrap commands with 1Password secrets from .env
Hey folks, 👋 I just released a new version of a small command-line tool I’ve been working on called openv. 💡 What it does: It automatically wraps selected dev commands (like npm dev, pnpm run, etc.) with op run, if your project’s .env file contains op:// secrets from 1Password. So instead of manually writing: run --env-file=.env -- npm run dev You can just type, as you would normally do: npm run dev And it will be wrapped automatically via a shell hook. 🧠 Why I built it: This started as a personal tool because I kept forgetting to wrap my dev commands with op run, and I wanted a smoother experience that "just works" based on .env contents. It hooks into ZSH (likely direnv), with support for allow/deny patterns (e.g., only wrap certain commands like pnpm start). 🛠️ Tech: Written in Rust Works in ZSH, Bash, and Fish Installable via Homebrew Fully local 🧪 Notes: This is an early release, mainly developed for my personal use. I’m sharing it here in case others find it useful. Feedback, issues, or even feature ideas are very welcome — but no pressure! GitHub: https://github.com/andrea11/openv Thanks for reading — and happy coding! 🚀.env accessed?: Lesson learned from a drained crypto wallet
A user on X recently lost their entire crypto wallet after installing a malicious extension in Cursor.ai. The extension accessed their .env file, extracted private keys, and sent them to an attacker’s server. The wallet was drained within 27 minutes. Sadly a hard lesson to learn from. What steps would you recommend to secure their setup? Read - https://x.com/0xzak/status/1955265807807545763?s=46&t=WQd8UVBBGk_pyHB3pNwGsA
