Protect what matters – even after you're gone. Make a plan for your digital legacy today.
SSH Bookmarks - broken on macOS
Hi, spent half a day on getting my (around 15) SSH keys and config sorted out. No success, at least not in "the way it's meant to be" by 1Password. I'm pretty sure I did everything correctly (all on macOS): set the agent in config, checked all the right boxes to get the "Include" file, include it in configuration And still, when I do `ssh -vvv ...` I see that the user and host gets matched to the correct *.pub key, but the agent insists on offering every single key it knows. And we now where this ends - back in my shell, not on the remote machine. So finally after several hours, I gave up and just copied the corresponding `IdentityFile` statements directly into config, remove the "Include" and can happily login to my remote shells. Which kind of defeats the purpose of SSH bookmarks. By the way I also never made it work to have a "Host" definition in my config while using its name as a url. Docs say that it works, it does not (at least for me). Example in config: Host machine-a Hostname machine-a.example.org User chilledbeany and in 1Password: ssh://machine-a No match. Only with ssh://chilledbeany@machine-a.example.org it matches, which is again, kind of wrong. So, any guidance on what I do wrong or getting it fixed in 1Password is appreciated.🔊 Securing Cursor agentic development with 1Password Environments
Today we announced a new integration between 1Password and Cursor that helps you reduce exposing your credentials during agentic development. With the new 1Password Environment Hook Script for Cursor, you can use 1Password Environments to make required secrets both gated and available to Cursor’s AI agents just in time, during development (not just runtime). Our new Hook Script makes 1Password the secure source of truth for secrets tokens and credentials that Cursor might have access to in your .env files during development. Secrets are provided at runtime via 1Password, governed by the same vaults, policies, and permissions your team already relies on. How it works (high level) When a Cursor agent needs to run a command or perform an action that requires access to API keys, tokens or credentials: Before Cursor runs any shell commands, the 1Password Environments Hook Script is invoked. The script verifies that required locally mounted .env files from 1Password Environments are present and available. If everything checks out, the script allows the command to run. If not, it returns context specific instructions for how to fix the setup. When a process requests access, 1Password prompts you to authorize and then makes the required secret available in memory. Get started If you’re experimenting with Cursor or rolling out AI-assisted workflows across your team or organization, this integration gives you a safer way to enable agents to assist your developers. Read the full announcement: “Bringing secure, just-in-time secrets to Cursor with 1Password” Explore the 1Password Environments documentation for Cursor Hooks Questions, feedback, or early learnings? Reply here, we’d love to hear what you build.Environments with custom text file
So nice, I discovered the feature as I was about to develop a custom solution around 1Password CLI! Mounting a file is definitely the best path forward to get people to migrate to proper secrets management for local dev. Got some issues when used for the `.dev.vars` of a Cloudflare Worker project, but I'd bet that's a bug in `@cloudflare/vite-plugin`. What would be really awesome is to be able to have arbitrary text file stored securely in 1P and mounted at their destination. While the `.env` format covers most of our uses cases, we do have secrets in other formats like json files and a few other. this could be helpful for secrets in code source as well this would also help with people wanting to preserve their original .env formatting
k8s External Secret access to 1P Item
Hi, I would like to know if it's possible to fetch a 1Password Item in K8s External Secrets by using its ID as a reference? Sample: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: my-ssh-key spec: data: - remoteRef: key: "1321312" # 1Password Item ID property: "private key" secretKey: ssh-private-key secretStoreRef: kind: SecretStore name: "my-secret-store" target: creationPolicy: Owner name: "my-targ-et-name" Thank you
CLI Slow Performance
I have the 1Password desktop app installed and up to date on my macBook Pro, the `op` CLI is also installed, up to date, and working properly. All expected CLI queries work but they are surprisingly slow. After a bunch of trial and error, it seems that it is making a round-trip online as part of every single CLI query. I added the --debug flag and I can see cache hits, but the round trip online is still occurring. Disabling the network interface causes all queries to fail. Is it possible to get the 1Password CLI working fully offline to avoid all of this unnecessary round-trip business? Surely with the desktop app installed and CLI integration turned on, there has to be a way to make efficient (and offline) use of my 1Password vaults. Otherwise automation tasks that require secrets are simply too cumbersome to handle with 1Password, and I will require a secondary solution. And in that case, I may as well give up on 1Password.Cannot find "Destinations" tab for mounting secrets to local .env files
I am trying to use the feature "Access secrets from 1Password through local .env files" but I cannot find the "Destinations" tab. What I have done: Enabled "Show 1Password Developer experience" in Settings > Developer Enabled "Record and display activity" I can see and use the AWS Secrets Manager integration What I expected: According to the documentation, there should be a "Destinations" tab that allows me to mount secrets to a local .env file. What I see: The "Destinations" tab does not appear anywhere in the interface. I only see the AWS Secrets Manager integration option. Environment: 1Password version: Latest OS: Windows Account type: Individual Could you please help me understand how to access the Destinations feature, or let me know if this feature has been moved or deprecated? Thank you.
Frustrations with .env File Handling and Environments in 1Password
To whom it may concern, I just tried to add some basic .env files to 1Password and was honestly surprised at how difficult and unsatisfying the experience was. I’ve always considered 1Password a premium, polished product, and I’ve really enjoyed using it so far. But in this case, the lack of functionality is pretty disappointing. I know you recently launched the Environments beta, which seems like a step in the right direction, but it’s clearly not fully fleshed out. Most programming projects of mine include multiple environment files, not just one. Some values in these files are sensitive, and others aren’t, so we should be able to choose which fields are masked (as passwords) and which are shown normally. Importing and exporting environment files should also be seamless, currently, it’s anything but. But the biggest issue with Environments right now is that they apparently don’t belong to vaults. That means I can’t share them with coworkers, which makes them basically useless for team projects. What’s the point of having them at all if they can’t be shared? So I tried workarounds: First, I attempted to store the variables in a secure note. While you can manually add fields, that’s clunky and time-consuming. Then I tried uploading the .env file to the note, but on macOS, the file picker doesn’t show hidden files, and apparently there’s no way to make it do so. This made it impossible to upload the file with its original name, a really basic oversight, and one that shouldn’t exist in a premium product. Next, I tried using a Document item. At least the drag-and-drop upload worked (unlike Secure Notes), but now I’m locked into a document type that only allows a single file. That’s just not workable when a project has multiple secret environment files. Even worse, if I want to replace the file, the drag-and-drop UI disappears entirely, so I can’t upload a hidden file again. I’d have to delete the entire document and start over. That’s absurd. I genuinely respect the work you’ve done on 1Password; it’s one of the few tools I’ve used that felt reliable and trustworthy out of the box. But these gaps in functionality around something as basic as handling environment files are frustrating. And for a product at this price point, I expect this sort of workflow to just work. It’s hard to believe these limitations haven’t already been addressed. On top of that, it was surprisingly difficult to even find a proper way to give feedback like this. That feels like a mistake, if users can’t easily tell you where the product falls short, you miss the chance to improve it. Anyway, I needed to get this off my chest. I hope this feedback is helpful, and that we’ll see improvements to these features soon. Best regards, Joël GrosjeanEnv var loading and validation for 1Password (open source!)
If you are using 1Password to manage any dev/application secrets, you might be interested in our open source tool - https://varlock.dev We just released a new update that introduces a plugin system and our first plugin is for 1Password (of course) - see https://varlock.dev/plugins/1password/ Our tool lets you define a .env.schema file, which can contain decorator style comments to add additional metadata to your env. This is then used to do validation, generate types, etc. The tool also introduces a new function call syntax, and while you can talk to any external cli using the exec() function, the new 1Pass plugin also adds a new op() function which fetches items from 1Password. So how is this different from using `op run`? Uses the SDK and service account tokens for deployed environments, and (optionally) uses op CLI for local dev (with biometric auth via the desktop app) Adds validation and coercion Automatic type generation (right now just for TypeScript, more to come) Understands which items are sensitive, and adds leak detection when possible Supports loading multiple env-specific files (.env.local, .env.production, etc) Supports explicit imports to break up files however you like Drop in integrations for many frameworks You can also use Varlock alongside the new https://developer.1password.com/docs/environments/ by syncing your environment to a local file (such as `.env.local`) and varlock will automatically load those values, and apply its validation on top. Would love for y'all to take a look, and to hear what you think! Oh and please give us a ⭐ on GitHub @ https://github.com/dmno-dev/varlock --- An example .env.schema file using the new 1Password plugin
