
I tried out the new ability to manage .env files with 1Password Environments
This page has been translated by machine translation. View original
In iOS development, managing secret information such as API keys and Firebase configuration is an important challenge. Many developers manage environment variables using .env files, but since they are stored on disk in plain text, there is always the risk of accidentally committing them to Git.
I use Arkana to obfuscate secret information (for details about Arkana, see my previous article), but managing the underlying .env files had been a challenge.
In October 2025, a new 1Password feature called "1Password Environments" was released as a public beta. This feature allows you to virtually mount .env files and manage secret information without writing it to disk.
This article introduces how to use 1Password Environments in combination with Arkana and Xcode Cloud.
Verification Environment
- macOS 15.7.1 (24G231)
- Xcode 26.1.1
- 1Password desktop app 8.11.18
- Arkana 1.4.0
Challenges with Traditional .env File Management
The .env file challenges that many developers face are as follows.
Security Risks
- Secret information is stored on disk in plain text
- Risk of forgetting to add to
.gitignoreand accidentally committing to Git - May be included in macOS backups (potentially)
Challenges in Team Development
- Sharing secrets with new members is cumbersome
- Sending API keys via Slack or email is not ideal from a security standpoint
- Updating environment variables across the entire team is tedious
Development Machine Migration
- When setting up a new Mac, you need to search through past chats and documents to find secrets
What is 1Password Environments
1Password Environments is a feature that provides a dedicated workspace for securely managing secret information for development projects.
Key Features
- Virtually mounts a
.envfile at a specified path - Secret information is not written to disk
- Data is passed directly to applications through UNIX pipes
- Compatible with existing dotenv libraries as-is
- Tools that read
.envfiles, such as Arkana, work as-is
How Virtual Mounting Works
By having 1Password virtually mount a .env file, the physical file does not exist, but applications can read it as a normal file. Access is automatically blocked when 1Password is locked, and cached values remain accessible even offline.
Configuration for the Development Environment
I develop iOS apps personally outside of work and manage secrets with the following configuration.
Local Development Environment
1Password Environments (.env virtual mount)
↓
Arkana (obfuscated code generation)
↓
Xcode (build)
CI/CD Environment (Xcode Cloud)
Xcode Cloud environment variables
↓
Arkana (obfuscated code generation)
↓
Build & distribution
This configuration allows secrets to be managed consistently and securely both locally and in CI/CD.
1. Enabling 1Password Developer Features
First, enable developer features in 1Password.
- Launch the 1Password desktop app
- Open Settings > Developer
- Turn on [Show 1Password developer experience]

This will display a "Developer" section in the sidebar.
2. Creating an Environment
Open the Developer section in the sidebar. Click the [Show environments] button on the environments tile.

Click the [New Environment] button. An input dialog for the environment name will appear; enter an appropriate environment name and click the save button. For this example, I used the name of the app under development as the environment name.

Click the [Show environment] button for the created app (environment).

3. Importing the .env File
Click the [Import .env file] button.

Select the .env file to import.

Review the imported keys and values, then click the [Save] button.

Once the import is complete, each environment variable is encrypted and securely stored as a 1Password item.
4. Deleting the Original .env File
Delete the original .env file for security.
cd /Users/ch3cooh/works/NSEasyConnect/NSEasyConnect
# Backup just in case
cp .env .env.backup
# Delete
rm .env
# Check if .env is included in .gitignore
cat .gitignore | grep .env
5. Configuring the Mount for the Local .env File
Next, mount the virtual .env file.
Open the Destinations tab. Click the [Set destination] button on the local .env file tile.

Click the [Select file path] button.

Specify the path where you previously placed the .env file.

After specifying the path for the .env file, click the [Mount .env file] button.

The .env file is now virtually mounted at the specified path.

6. Verifying Access to .env
Verify that the .env file is accessible.
vim /Users/ch3cooh/works/NSEasyConnect/NSEasyConnect/.env
When accessing the file at that path, 1Password hooks in and an access request dialog is displayed. After authenticating, you can access the .env file.

After authentication, you can access the .env file just as before.
# This file was generated by 1Password. Manual edits will be lost.
# For more information, see: https://developer.1password.com/docs/environments/local-env-file
revenueCatApiKey=XXXXXX_XXXXXXXXXXXXXX
7. Verifying Arkana Operation
Run Arkana and verify that the obfuscated code is generated correctly.
# Run in the project directory
bundle exec arkana
If successful, obfuscated code such as ArkanaKeys will be generated as usual. This confirms that 1Password's mounted .env file is being read correctly.
For detailed instructions on configuring Arkana, please refer to my previous article.
8. Integration with Xcode Cloud
In a CI/CD environment using Xcode Cloud, instead of using 1Password Environments, we use the environment variable feature of Xcode Cloud.
8-1. Setting Environment Variables in Xcode Cloud
- Open App Store Connect
- Select the target app
- Open Xcode Cloud > Settings
- Add environment variables in the Environment Variables section
Example:
revenueCatApiKey = appl_xxx...
Check the Secret box for each variable to protect the value.
8-2. Arkana Reading Environment Variables
By default, Arkana reads values in the following order of priority:
- Environment variables
.envfile
This means, without any special configuration:
- Locally: Reads from the
.envfile mounted by 1Password - Xcode Cloud: Reads from environment variables
Operational Notes
1Password App Must Be Running
When running Arkana, the 1Password desktop app must be:
- Running
- Unlocked
If it is locked, the build will fail.
CI/CD Environments Require Separate Configuration
In CI/CD environments (Xcode Cloud, GitHub Actions, etc.), 1Password Environments cannot be used. You need to use the secret management features of each environment.
However, since 1Password also provides integration with AWS Secrets Manager, this can be considered for use in full-scale CI/CD environments. This article does not cover verification of AWS Secrets Manager usage.
Windows Is Currently Not Supported
Currently, 1Password Environments only supports Mac and Linux. The Windows version is reportedly under development.
Benefits
Here is a summary of the benefits I felt after actually using it in practice.
Improved Security
- Since the
.envfile does not physically exist on disk, it is impossible to accidentally commit it to Git - Even running
git add .will not detect virtual files - Locking 1Password automatically blocks access to the
.envfile
Improved Development Efficiency
- When setting up a new Mac, simply logging into 1Password restores the environment variables
- After cloning a project and mounting the Environment, development can begin immediately
- Cached values are accessible even offline
Benefits for Team Development
- Environment variables can be securely shared with team members using 1Password's sharing feature
- No need to send secrets via Slack
- Change history for environment variables is recorded in 1Password
Summary
After actually using 1Password Environments in practice, I find it more convenient than I expected. In particular, since the .env file does not physically exist, I have been completely freed from the anxiety of "what if I accidentally commit it to Git."
In the context of iOS app development, combining it with Arkana allowed me to improve security while maintaining the existing workflow. By managing .env files with 1Password Environments for local development and using the environment variable features of Bitrise or Xcode Cloud for CI/CD environments, consistent secret management can be achieved.
It is currently available as a public beta supporting macOS/Linux, with the Windows version reportedly under development. While it is still in beta, it operates stably, and I think it is worth trying for anyone who feels challenged by secret management in iOS development.
Reference Links
- 1Password Environments Official Blog
- 1Password Environments Documentation
- Arkana - GitHub
- Preparing for the End of CocoaPods: Migrating from cocoapods‑keys to Arkana + SPM - Previous article by the author
- 1Password Developer Settings
Job Openings: Classmethod is Hiring iOS Engineers
The Starbucks Digital Technology Department is looking for engineers capable of iOS app development. We are looking forward to applications from people who would like to work with us while sharing information about new Xcode and iOS features in channels like misc-ios!
We are also hiring iOS/Android engineers in other areas. Let's talk about mobile app development together!