Skip to main content

Access secrets from 1Password through local .env files Beta

Locally mounted .env files allow secure access to the secrets you've stored in 1Password Environments from your device, without needing to keep them in a plaintext .env file on your local device. By creating a local .env file destination, your secrets become both safe and simple to access.

Mount your .env file

To configure a local .env file destination, you'll need to use the 1Password desktop app to create a new environment or navigate to an existing one to configure the destination for. Within your environment:

  1. Select the Destinations tab, then select Configure destination for a "Local .env file".
  2. Select Choose file path and choose the path on your device where you want to create your local .env file.
  3. Select Mount .env file.

You can disable a local .env file to remove it from your device. In the Destinations tab of your environment, toggle the Enabled option on or off as needed. You can have up to ten enabled local .env files per device.

Verify with your terminal

To confirm that you can access your environment variables on your device, you can read your secrets using the cat shell command.

  1. From your terminal, navigate to the directory where your .env file is saved. Run the following command, replacing .env with the name you've given your file:

  2. Select Authorize in the authorization prompt that pops up.

Upon approval, your environment's contents will be returned. They're only read once and aren't written to disk. New read requests will have to be authorized again.

Dotenv library compatibility

You can use your language's supported .env libraries to load secrets into your projects and work with your environment variables.

Use of local .env files with 1Password Environments is compatible with the following libraries:

Language / ToolLibrary
C#dotne-env
Docker ComposeBuilt-in support for .env files
Gogodotenv
Javadotenv-java
JavaScript / Node.jsdotenv
PHPphpdotenv
Python*python-dotenv
Rubydotenv
Rust**dotenvy

* Will only work if you pass in the dotenv file contents directly.
** Will only work if you pass in the filename, path, or contents directly.

How it works

1Password makes your environment variables available as a .env file without actually storing the plaintext contents on your device. Instead, the file contents are passed directly to the reader process on demand through a UNIX-named pipe. 1Password mounts the .env file at the path you've specified on your device and automatically remounts it whenever 1Password restarts. This means that as long as 1Password is running, even if locked, the file is there and 1Password is ready to respond when you need to access your secrets.

When your application tries to read the file, you'll receive an authorization prompt asking for approval to populate the .env file. The file will lock again when 1Password locks. There's no distinction made between different processes reading the file. Once the file is unlocked, every process can read it until you lock 1Password or disable the .env file in 1Password.

Although 1Password creates this file on your device, locally mounted .env files aren't tracked by Git and therefore your secrets aren't exposed by your version control system. The contents of these files are never stored on disk and are only available at the moment you access them, provided you've authenticated. Once read, the information is no longer available until you access it again.

An authorization prompt is shown when you try to access a mounted `.env` file through your local terminal.An authorization prompt is shown when you try to access a mounted `.env` file through your local terminal.

Limitations

  • Local .env file destinations aren't designed for concurrent access. If multiple processes try to read your local .env file at the same time, you may encounter delays or unexpected behaviors. For example, if you have the file open in an IDE while another application attempts to read it, this may result in conflicts. The first process to access the file will succeed in reading the secrets, while others may fail to read the contents. If you have the .env file open in an IDE or another application that is actively accessing it, you may need to close that session to allow other applications or terminal instances to read the file without interference.

  • When you're offline, you'll only be able to access the most recent contents synced to your device or local changes you've made. When you're back online, your environment will update to reflect the latest changes you've saved in 1Password.

Learn more

Was this page helpful?