🔐 env2op ⇄ op2env

Push .env files to 1Password and pull them back with two simple commands.

---

Installation

Homebrew (macOS/Linux)

brew tap tolgamorf/tap
brew install env2op-cli

# or in a single command:
brew install tolgamorf/tap/env2op-cli

Scoop (Windows)

scoop bucket add tolgamorf https://github.com/tolgamorf/scoop-bucket
scoop install env2op-cli

Chocolatey (Windows)

choco install env2op-cli

WinGet (Windows)

winget install tolgamorf.env2op-cli

Package Managers (macOS/Linux/Windows)

Global installation

# Using bun
bun add -g @tolgamorf/env2op-cli

# Using npm
npm install -g @tolgamorf/env2op-cli

# Using pnpm
pnpm add -g @tolgamorf/env2op-cli

Running directly

# Using bun
bunx @tolgamorf/env2op-cli .env Personal "MyApp"

# Using npm
npx @tolgamorf/env2op-cli .env Personal "MyApp"

# Using pnpm
pnpm dlx @tolgamorf/env2op-cli .env Personal "MyApp"

Prerequisites

• 1Password CLI installed and signed in
• Bun runtime (for best performance)

Commands

This package provides two commands:

Command	Description
env2op	Push .env to 1Password, generate .env.tpl template
op2env	Pull secrets from 1Password using .env.tpl template

env2op (Push)

Push environment variables to 1Password and generate a template file.

env2op <env_file> <vault> <item_name> [options]

Examples for env2op

# Basic usage - creates a Secure Note and generates .env.tpl
env2op .env.production Personal "MyApp - Production"

# Custom output path for template
env2op .env Personal "MyApp" -o secrets.tpl

# Preview what would happen without making changes
env2op .env.production Personal "MyApp" --dry-run

# Store all fields as password type (hidden in 1Password)
env2op .env.production Personal "MyApp" --secret

# Skip confirmation prompts (useful for scripts/CI)
env2op .env.production Personal "MyApp" -f

Options for env2op

Flag	Description
-o, --output	Output template path (default: <env_file>.tpl)
-f, --force	Skip confirmation prompts
--dry-run	Preview actions without executing
--secret	Store all fields as 'password' type (default: 'text')
--verbose	Show op CLI output
--update	Check for and install updates
-v, --version	Show version
-h, --help	Show help

op2env (Pull)

Pull secrets from 1Password to generate a .env file.

op2env <template_file> [options]

Examples for op2env

# Basic usage - generates .env from .env.tpl
op2env .env.tpl

# Custom output path
op2env .env.tpl -o .env.local

# Preview without making changes
op2env .env.tpl --dry-run

# Overwrite existing .env without prompting
op2env .env.tpl -f

Options for op2env

Flag	Description
-o, --output	Output .env path (default: template without .tpl)
-f, --force	Overwrite without prompting
--dry-run	Preview actions without executing
--verbose	Show op CLI output
--update	Check for and install updates
-v, --version	Show version
-h, --help	Show help

How It Works

1. env2op parses your .env file, creates a 1Password Secure Note, and generates a .tpl template
2. op2env reads the template and pulls current values from 1Password to create a .env file

You can also use the op run command to run processes with secrets injected:

op run --env-file .env.tpl -- npm start

Field Types

By default, all fields are stored as text type (visible in 1Password). Use --secret to store them as password type (hidden by default, revealed on click).

Example

Given this .env file:

DATABASE_URL=postgres://localhost/myapp
API_KEY=sk-1234567890
DEBUG=true

Running:

env2op .env Personal "MyApp Secrets"

Creates a 1Password Secure Note with fields:

• DATABASE_URL (text)
• API_KEY (text)
• DEBUG (text)

And generates .env.tpl with UUID-based references (avoids naming conflicts):

DATABASE_URL=op://abc123vaultid/xyz789itemid/def456fieldid
API_KEY=op://abc123vaultid/xyz789itemid/ghi012fieldid
DEBUG=op://abc123vaultid/xyz789itemid/jkl345fieldid

Programmatic Usage

You can also use env2op as a library:

import { parseEnvFile, createSecureNote, generateTemplateContent } from "@tolgamorf/env2op-cli";

const result = parseEnvFile(".env");
console.log(result.variables);

License

MIT