Skip to main content
Use the 1Password CLI (op) to materialize your secrets into a .env file, then upload that file to Enkryptify with ek import. The recommended path uses a template of secret references. You commit the template (it holds no secret values) and op inject fills in the values at run time.

Prerequisites

  • The Enkryptify CLI installed and signed in with ek login
  • The 1Password CLI installed with brew install 1password-cli (check with op --version)
  • Either the 1Password desktop app with CLI integration enabled, or a service account token
1

Authenticate the 1Password CLI

On your own machine, enable Settings > Developer > Integrate with 1Password CLI in the 1Password desktop app then approve the first op command. For headless or CI use, export a service account token instead:
2

Create a template file

Create env.tpl with one KEY=op://<vault>/<item>/<field> line per secret. Wrap the whole reference in quotes when a name contains a space:
env.tpl
Plain KEY=value lines and # comments are copied through untouched. Only op:// references are resolved.
3

Resolve the template into a .env file

Add -f to overwrite an existing .env without a prompt. To switch vaults per environment, parameterize the reference and set the variable for the one command:
4

Import into Enkryptify

Accept the prompt to delete the .env afterward so no plaintext copy is left on disk.

All secrets in one item

If every value lives as a field on a single 1Password item, dump that item as JSON and convert it with jq. The field labels become the keys:

Notes

  • Use op inject to write a file. op run --env-file only injects secrets into a running process and never creates a .env.
  • Commit the template, not the generated .env. The .env holds plaintext values, so keep it out of git and delete it after importing.

Next steps