Skip to main content
The env subcommand gives you granular control over named environments in the encrypted vault. Every environment is a named collection of secrets — stored outside your repository, encrypted at rest with a rotating data key wrapped by a project root key in the native OS credential manager. ironrun never offers reveal, clipboard-copy, or plaintext export.

Top-level shortcut commands

For the most common operations, ironrun provides short top-level aliases so you don’t need to type env every time:

Subcommands

Common workflows

Add a secret to the active environment

If you want to target a specific environment rather than the active one, pass its name first:

Create a staging environment and populate it from dev

Import from a .env file

env import only accepts owner-only files (permission mode 600). It refuses files inside the project directory unless you pass --allow-project-file, and it refuses any file readable by group or other.

Temporary environments

Temporary environments expire automatically. This is useful for short-lived work, CI overrides, or agent sessions you want to clean up without manual intervention:
The default TTL for temporary environments is 24 hours. The --ttl flag accepts standard Go duration strings: 30m, 8h, 24h.

One-run environment override

You don’t have to switch environments just to run a single command against a different set. Use --set on ironrun run:
The active environment for your project is unchanged after this invocation.

Flags

env set

--from-stdin
boolean
default:"false"
Read the secret value from stdin instead of a masked prompt. Requires --unsafe.
--unsafe
boolean
default:"false"
Acknowledge that piped input may appear in process listings or shell history. Required when using --from-stdin.

env create

--temporary
boolean
default:"false"
Mark this environment as temporary so it is eligible for automatic expiry.
--ttl
duration
default:"24h"
Lifetime for a temporary environment. Accepts Go duration strings such as 8h or 30m.

env clone

--yes
boolean
default:"false"
Skip the confirmation prompt before cloning secret values.

env remove

--yes
boolean
default:"false"
Skip the confirmation prompt before removing the entire environment set.

env import

--allow-project-file
boolean
default:"false"
Allow importing a .env file that lives inside the project directory. The file must still have owner-only permissions (600).
env export writes only KEY= template lines. It never exports plaintext secret values. There is no flag or option that changes this behaviour — ironrun does not have a plaintext export path.
The encrypted vault lives at ~/.ironrun/vaults/, outside your repository. Project metadata lives under .ironrun/ in your project directory and contains no secret values. The .ironrun/ directory is automatically git-ignored on creation.