pw-env

Appearance

Star

Keep .env in your project.Keep secrets out of it.

pw-env resolves empty env keys from 1Password, Bitwarden, or GPG-backed files, then streams the results straight into your shell.

Install pw-env
Build your first project flow
pw-env

Secrets stay in the backend

Empty values and explicit references are resolved at runtime. pw-env exports resolved keys to stdout instead of writing a generated .env file back to disk.

Works with the shell you already use

Use pw-env export for one-off loading, or install a shell hook with pw-env init bash, pw-env init zsh, pw-env init fish, or pw-env init powershell.

Built for mixed env files

Secret-like plaintext values can be migrated into the backend, while safe local values can stay in the file with

Trust is explicit

Project-local overrides in .pw-env.toml and credential fetching from .env are approved separately and re-checked when the file contents change.

Rust CLI1Password, Bitwarden, and GPGAutomatic activation
Why it exists

pw-env keeps the project-facing ergonomics of a normal .env file while moving secret resolution to the edge of your shell session.

What changes in practice

Developers keep checked-in env shape, approvals stay explicit, and secret values stop drifting into repositories and local plaintext copies.

Example

console
eval "$(pw-env export . --shell bash)"
dotenv
DATABASE_URL=
API_KEY=op://Development/my-app/api_key
LOG_LEVEL=debug # pw-env:ignore
bash
DATABASE_URL=sqlite:///example.db
API_KEY=XdASdf923.....
LOG_LEVEL=debug # pw-env:ignore

Fast path

01Shape the project env

Leave secret keys empty or point them at a specific backend reference.

02Pick a default backend

Resolve empty values through 1Password, Bitwarden, or a GPG-backed env file.

03Load on demand or on cd

Export once for a shell session or install a hook that follows your working directory.

Install

console
curl -fsSL https://m42e.de/pw-env/install.sh | bash
powershell
PS> & ([scriptblock]::Create((irm https://m42e.de/pw-env/install.ps1)))
console
curl -fsSL https://m42e.de/pw-env/install.sh | bash -s -- --version v0.2.8
console
cargo build --release
./target/release/pw-env --help

Learn the flow

InstallationInstall the binary, check supported targets, and preview the manual locally.First projectSet up a .env, choose a backend, and run your first export.Migrate plaintext secretsMove existing values into 1Password, Bitwarden, or GPG without rewriting safe local settings.Approvals and trustUnderstand .pw-env.toml approvals, .env hash approvals, and project-wide fetch grants.Resolution modelSee how pw-env classifies entries and routes them to the correct backend.CLI referenceBrowse the commands, usage forms, and the approvals subcommands in one place.

What a project looks like

text
my-service/
├── .env
├── .pw-env.toml
└── .git/
dotenv
DATABASE_URL=
API_KEY=bw://env-secrets/my-service/api_key
LOG_LEVEL=debug # pw-env:ignore

Use a global config for defaults, and add .pw-env.toml only when a project needs a local override. The local override is discovered by walking upward from the current directory until the repository root.