Use dotenvx with 1Password
Load dotenvx private keys from 1Password at runtime.
Store your DOTENV_PRIVATE_KEY* values in 1Password, then load them into the environment before running dotenvx.
Read a Private Key
Use op read to resolve a 1Password secret reference into DOTENV_PRIVATE_KEY_PRODUCTION.
DOTENV_PRIVATE_KEY_PRODUCTION="$(op read op://Engineering/my-app/DOTENV_PRIVATE_KEY_PRODUCTION)" dotenvx run -- npm start
dotenvx run sees DOTENV_PRIVATE_KEY_PRODUCTION, decrypts .env.production, and injects the decrypted values into your process.
Use an Environment File
You can also keep 1Password secret references in .env.keys.
.env.keys
# .env.keys - DO NOT commit to source control
DOTENV_PRIVATE_KEY_PRODUCTION="op://Engineering/my-app/DOTENV_PRIVATE_KEY_PRODUCTION"
Then use op run to resolve the secret reference before dotenvx run starts.
op run --env-file .env.keys -- dotenvx run -- npm start
This keeps the plaintext private key out of .env.keys; 1Password resolves it at runtime.
Team Workflows
1Password works well for developers who already use 1Password locally. For teams that want private keys stored off-device, shared by project, and available without each developer wiring local 1Password access, use Armor.