I tried out the new ability to manage .env files with 1Password Environments
注目の記事

I tried out the new ability to manage .env files with 1Password Environments

2025.11.17

This page has been translated by machine translation. View original

In iOS development, managing secret information such as API keys and Firebase configuration is an important challenge. Many developers manage environment variables using .env files, but since they are stored on disk in plain text, there is always the risk of accidentally committing them to Git.

I use Arkana to obfuscate secret information (for details about Arkana, see my previous article), but managing the underlying .env files had been a challenge.

In October 2025, a new 1Password feature called "1Password Environments" was released as a public beta. This feature allows you to virtually mount .env files and manage secret information without writing it to disk.

This article introduces how to use 1Password Environments in combination with Arkana and Xcode Cloud.

Verification Environment

  • macOS 15.7.1 (24G231)
  • Xcode 26.1.1
  • 1Password desktop app 8.11.18
  • Arkana 1.4.0

Challenges with Traditional .env File Management

The .env file challenges that many developers face are as follows.

Security Risks

  • Secret information is stored on disk in plain text
  • Risk of forgetting to add to .gitignore and accidentally committing to Git
  • May be included in macOS backups (potentially)

Challenges in Team Development

  • Sharing secrets with new members is cumbersome
  • Sending API keys via Slack or email is not ideal from a security standpoint
  • Updating environment variables across the entire team is tedious

Development Machine Migration

  • When setting up a new Mac, you need to search through past chats and documents to find secrets

What is 1Password Environments

1Password Environments is a feature that provides a dedicated workspace for securely managing secret information for development projects.

Key Features

  • Virtually mounts a .env file at a specified path
  • Secret information is not written to disk
  • Data is passed directly to applications through UNIX pipes
  • Compatible with existing dotenv libraries as-is
  • Tools that read .env files, such as Arkana, work as-is

How Virtual Mounting Works

By having 1Password virtually mount a .env file, the physical file does not exist, but applications can read it as a normal file. Access is automatically blocked when 1Password is locked, and cached values remain accessible even offline.

Configuration for the Development Environment

I develop iOS apps personally outside of work and manage secrets with the following configuration.

Local Development Environment

1Password Environments (.env virtual mount)

Arkana (obfuscated code generation)

Xcode (build)

CI/CD Environment (Xcode Cloud)

Xcode Cloud environment variables

Arkana (obfuscated code generation)

Build & distribution

This configuration allows secrets to be managed consistently and securely both locally and in CI/CD.

1. Enabling 1Password Developer Features

First, enable developer features in 1Password.

  1. Launch the 1Password desktop app
  2. Open Settings > Developer
  3. Turn on [Show 1Password developer experience]

20251116230340

This will display a "Developer" section in the sidebar.

2. Creating an Environment

Open the Developer section in the sidebar. Click the [Show environments] button on the environments tile.

20251116222323

Click the [New Environment] button. An input dialog for the environment name will appear; enter an appropriate environment name and click the save button. For this example, I used the name of the app under development as the environment name.

20251116222341

Click the [Show environment] button for the created app (environment).

20251116222517

3. Importing the .env File

Click the [Import .env file] button.

20251116222552

Select the .env file to import.

20251116222825

Review the imported keys and values, then click the [Save] button.

20251116222922

Once the import is complete, each environment variable is encrypted and securely stored as a 1Password item.

4. Deleting the Original .env File

Delete the original .env file for security.

cd /Users/ch3cooh/works/NSEasyConnect/NSEasyConnect

# Backup just in case
cp .env .env.backup

# Delete
rm .env

# Check if .env is included in .gitignore
cat .gitignore | grep .env

5. Configuring the Mount for the Local .env File

Next, mount the virtual .env file.

Open the Destinations tab. Click the [Set destination] button on the local .env file tile.

20251116223811

Click the [Select file path] button.

20251116224043

Specify the path where you previously placed the .env file.

20251116224139

After specifying the path for the .env file, click the [Mount .env file] button.

20251116224215

The .env file is now virtually mounted at the specified path.

20251116224247

6. Verifying Access to .env

Verify that the .env file is accessible.

vim /Users/ch3cooh/works/NSEasyConnect/NSEasyConnect/.env 

When accessing the file at that path, 1Password hooks in and an access request dialog is displayed. After authenticating, you can access the .env file.

20251116222013

After authentication, you can access the .env file just as before.

# This file was generated by 1Password. Manual edits will be lost.
# For more information, see: https://developer.1password.com/docs/environments/local-env-file
revenueCatApiKey=XXXXXX_XXXXXXXXXXXXXX

7. Verifying Arkana Operation

Run Arkana and verify that the obfuscated code is generated correctly.

# Run in the project directory
bundle exec arkana

If successful, obfuscated code such as ArkanaKeys will be generated as usual. This confirms that 1Password's mounted .env file is being read correctly.

For detailed instructions on configuring Arkana, please refer to my previous article.

8. Integration with Xcode Cloud

In a CI/CD environment using Xcode Cloud, instead of using 1Password Environments, we use the environment variable feature of Xcode Cloud.

8-1. Setting Environment Variables in Xcode Cloud

  1. Open App Store Connect
  2. Select the target app
  3. Open Xcode Cloud > Settings
  4. Add environment variables in the Environment Variables section

Example:

revenueCatApiKey = appl_xxx...

Check the Secret box for each variable to protect the value.

8-2. Arkana Reading Environment Variables

By default, Arkana reads values in the following order of priority:

  1. Environment variables
  2. .env file

This means, without any special configuration:

  • Locally: Reads from the .env file mounted by 1Password
  • Xcode Cloud: Reads from environment variables

Operational Notes

1Password App Must Be Running

When running Arkana, the 1Password desktop app must be:

  • Running
  • Unlocked

If it is locked, the build will fail.

CI/CD Environments Require Separate Configuration

In CI/CD environments (Xcode Cloud, GitHub Actions, etc.), 1Password Environments cannot be used. You need to use the secret management features of each environment.

However, since 1Password also provides integration with AWS Secrets Manager, this can be considered for use in full-scale CI/CD environments. This article does not cover verification of AWS Secrets Manager usage.

Windows Is Currently Not Supported

Currently, 1Password Environments only supports Mac and Linux. The Windows version is reportedly under development.

Benefits

Here is a summary of the benefits I felt after actually using it in practice.

Improved Security

  • Since the .env file does not physically exist on disk, it is impossible to accidentally commit it to Git
  • Even running git add . will not detect virtual files
  • Locking 1Password automatically blocks access to the .env file

Improved Development Efficiency

  • When setting up a new Mac, simply logging into 1Password restores the environment variables
  • After cloning a project and mounting the Environment, development can begin immediately
  • Cached values are accessible even offline

Benefits for Team Development

  • Environment variables can be securely shared with team members using 1Password's sharing feature
  • No need to send secrets via Slack
  • Change history for environment variables is recorded in 1Password

Summary

After actually using 1Password Environments in practice, I find it more convenient than I expected. In particular, since the .env file does not physically exist, I have been completely freed from the anxiety of "what if I accidentally commit it to Git."

In the context of iOS app development, combining it with Arkana allowed me to improve security while maintaining the existing workflow. By managing .env files with 1Password Environments for local development and using the environment variable features of Bitrise or Xcode Cloud for CI/CD environments, consistent secret management can be achieved.

It is currently available as a public beta supporting macOS/Linux, with the Windows version reportedly under development. While it is still in beta, it operates stably, and I think it is worth trying for anyone who feels challenged by secret management in iOS development.

Job Openings: Classmethod is Hiring iOS Engineers

The Starbucks Digital Technology Department is looking for engineers capable of iOS app development. We are looking forward to applications from people who would like to work with us while sharing information about new Xcode and iOS features in channels like misc-ios!

https://careers.classmethod.jp/requirements/sbj-nativeapp-ios/

We are also hiring iOS/Android engineers in other areas. Let's talk about mobile app development together!

https://careers.classmethod.jp/requirements/category/development/

Share this article