> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Import from 1Password

> Resolve 1Password secret references into a .env file then upload them with the Enkryptify CLI.

Use the 1Password CLI (`op`) to materialize your secrets into a `.env` file, then upload that file to Enkryptify with `ek import`.

The recommended path uses a template of secret references. You commit the template (it holds no secret values) and `op inject` fills in the values at run time.

## Prerequisites

* The [Enkryptify CLI](/cli/install) installed and signed in with `ek login`
* The 1Password CLI installed with `brew install 1password-cli` (check with `op --version`)
* Either the 1Password desktop app with CLI integration enabled, or a service account token

<Steps>
  <Step title="Authenticate the 1Password CLI">
    On your own machine, enable **Settings > Developer > Integrate with 1Password CLI** in the 1Password desktop app then approve the first `op` command. For headless or CI use, export a service account token instead:

    ```bash theme={"dark"}
    export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
    ```
  </Step>

  <Step title="Create a template file">
    Create `env.tpl` with one `KEY=op://<vault>/<item>/<field>` line per secret. Wrap the whole reference in quotes when a name contains a space:

    ```bash env.tpl theme={"dark"}
    DATABASE_URL=op://Production/database/url
    STRIPE_SECRET_KEY=op://Production/stripe/secret_key
    AWS_SECRET_ACCESS_KEY="op://Production/aws/Access Keys/secret_access_key"
    ```

    Plain `KEY=value` lines and `#` comments are copied through untouched. Only `op://` references are resolved.
  </Step>

  <Step title="Resolve the template into a .env file">
    ```bash theme={"dark"}
    op inject -i env.tpl -o .env
    ```

    Add `-f` to overwrite an existing `.env` without a prompt. To switch vaults per environment, parameterize the reference and set the variable for the one command:

    ```bash theme={"dark"}
    APP_ENV=Production op inject -i env.tpl -o .env -f
    ```
  </Step>

  <Step title="Import into Enkryptify">
    ```bash theme={"dark"}
    ek import .env
    ```

    Accept the prompt to delete the `.env` afterward so no plaintext copy is left on disk.
  </Step>
</Steps>

## All secrets in one item

If every value lives as a field on a single 1Password item, dump that item as JSON and convert it with `jq`. The field labels become the keys:

```bash theme={"dark"}
op item get "My App Prod" --vault Production --format json \
  | jq -r '.fields[] | select(.value != null and .label != null) | "\(.label)=\"\(.value)\""' > .env
```

## Notes

* Use `op inject` to write a file. `op run --env-file` only injects secrets into a running process and never creates a `.env`.
* Commit the template, not the generated `.env`. The `.env` holds plaintext values, so keep it out of git and delete it after importing.

## Next steps

* [Import from Vercel](/import/vercel)
* [Import from AWS Secrets Manager](/import/aws-secrets-manager)
* [CLI Quickstart](/cli/quickstart)
