Securing Environment Variables with 1Password | Writing about tech and anything else I find interesting

Securing Environment Variables with 1Password

When I received my new laptop at Hashicorp, I began personalising it as we all do. I used dotfiles to configure iTerm, and quickly pulled down Brew to get (almost) everything I needed installed.

One of the first things I noticed that I didn’t have were the environment variables that normally read out of my bash profile. As I contemplated putting them in, I realised that it would be a lot more secure and a lot more portable if these were stored in 1Password (my personal secrets manager of choice).

Getting Familiar with the 1Password Schema

First up, I created a new 1Password entry, using the Password type. I called it “Environment Variables”.
I have put that entry into Edit mode in the image below so you can get a feel for the schema as it looks when you are setting this up in the UI.

1Password Schema

I named the Section as Environment Variables also, and created entries where the Label value matched the name of the environment variable I wanted to set. The value is… the value. You should also note from the screenshot that you can set the value type - I used “password” throughout in this case.

Next up, I grabbed the 1Password CLI and configured it per the official docs.

Once you’ve completed the configuration, login using eval $(op signin my)
Enter your master password, and if you’re using it your 2FA code.

Next up, you can run op get item "Environment Variables" | jq . to get a better handle on the schema layout.

You’ll note that the first section ('.details.sections[0]) actually contains the name and title of your entry. As you can see in the image below, the second entry contains the details that we want to make use of.

1Password Schema

The other thing that you’ll see here is that the key/value pair of the information that I’m after are represented by t and v respectively.

At this point, I thought I had enough of a handle on this to write it up as a bash script. The details of that are below.

To leverage this, simply source ~/.import_envvars.sh and away you go.

1Password Environment Variables