Skip to main content
Use the 1Password CLI (op) to materialize your secrets into a .env file, then upload that file to Enkryptify with ek import. The recommended path uses a template of secret references. You commit the template (it holds no secret values) and op inject fills in the values at run time.

Prerequisites

  • The Enkryptify CLI installed and signed in with ek login
  • The 1Password CLI installed with brew install 1password-cli (check with op --version)
  • Either the 1Password desktop app with CLI integration enabled, or a service account token
1

Authenticate the 1Password CLI

On your own machine, enable Settings > Developer > Integrate with 1Password CLI in the 1Password desktop app then approve the first op command. For headless or CI use, export a service account token instead:
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
2

Create a template file

Create env.tpl with one KEY=op://<vault>/<item>/<field> line per secret. Wrap the whole reference in quotes when a name contains a space:
env.tpl
DATABASE_URL=op://Production/database/url
STRIPE_SECRET_KEY=op://Production/stripe/secret_key
AWS_SECRET_ACCESS_KEY="op://Production/aws/Access Keys/secret_access_key"
Plain KEY=value lines and # comments are copied through untouched. Only op:// references are resolved.
3

Resolve the template into a .env file

op inject -i env.tpl -o .env
Add -f to overwrite an existing .env without a prompt. To switch vaults per environment, parameterize the reference and set the variable for the one command:
APP_ENV=Production op inject -i env.tpl -o .env -f
4

Import into Enkryptify

ek import .env
Accept the prompt to delete the .env afterward so no plaintext copy is left on disk.

All secrets in one item

If every value lives as a field on a single 1Password item, dump that item as JSON and convert it with jq. The field labels become the keys: 
op item get "My App Prod" --vault Production --format json \
  | jq -r '.fields[] | select(.value != null and .label != null) | "\(.label)=\"\(.value)\""' > .env

Notes

  • Use op inject to write a file. op run --env-file only injects secrets into a running process and never creates a .env.
  • Commit the template, not the generated .env. The .env holds plaintext values, so keep it out of git and delete it after importing.

Next steps