Skip to main content
ironrun import reads an existing .env file and stores its values in the encrypted vault — showing only key names during the preview, never values. After import, secrets live in ~/.ironrun/vaults/ under per-environment AES-256-GCM encryption, and the source file can be deleted or gitignored.

Importing from a .env file

1

Make the .env owner-only

ironrun refuses to read files that are group- or world-readable. Set permissions before importing:
This also prevents other processes on the machine from reading the file while you work.
2

Run the import

ironrun reads the file and displays the key names only — no values are shown. You’ll see something like:
Confirm with y. ironrun encrypts each value, verifies the encrypted copy, and rolls back if any step fails.
3

Verify the import

Check that all keys landed in the active environment:
or list environments and their key names:
Both commands show key names only — values are never displayed.
4

Remove or gitignore the source file

ironrun does not delete the plaintext .env for you. Once you’ve verified the import, handle the source file yourself:
ironrun continues to warn you while the plaintext source file remains on disk.

Adding a single secret interactively

For adding one key at a time, use ironrun add. It prompts for the value with input masking so the secret never appears on screen:

TUI alternative

Running ironrun with no arguments opens the terminal control room. From there you can:
  • Navigate to an environment and choose Add secret to add a single value with a masked prompt
  • Choose Import to walk through the same key-name preview and confirmation flow as ironrun import
The TUI never offers a reveal, clipboard-copy, or plaintext-export action.

Requirements and restrictions

  • Source files must be owner-only (chmod 600). ironrun refuses files readable by group or others.
  • Source files must not be inside the project directory if they are group/other-readable.
  • Imports accept standard KEY=value dotenv format, one entry per line.

What ironrun stores

Encrypted bytes live in ~/.ironrun/vaults/ — outside your repository and never committed to git. Each environment has a rotating data key wrapped by a project root key stored in the native OS credential manager (Keychain on macOS, Secret Service on Linux). Project metadata under .ironrun/ contains no secret values.
ironrun does not delete the plaintext .env file after import — it warns while the source file remains on disk. Delete it or add it to .gitignore yourself after verifying the import succeeded.
ironrun env export (or env export in the TUI) writes only a KEY= template file — key names with empty values. It never exports plaintext secret values. Use it to share the shape of an environment without sharing any credentials.