ironrun import reads an existing .env file and stores its values in the encrypted vault — showing only key names during the preview, never values. After import, secrets live in ~/.ironrun/vaults/ under per-environment AES-256-GCM encryption, and the source file can be deleted or gitignored.
Importing from a .env file
1
Make the .env owner-only
ironrun refuses to read files that are group- or world-readable. Set permissions before importing:This also prevents other processes on the machine from reading the file while you work.
2
Run the import
y. ironrun encrypts each value, verifies the encrypted copy, and rolls back if any step fails.3
Verify the import
Check that all keys landed in the active environment:or list environments and their key names:Both commands show key names only — values are never displayed.
4
Remove or gitignore the source file
ironrun does not delete the plaintext ironrun continues to warn you while the plaintext source file remains on disk.
.env for you. Once you’ve verified the import, handle the source file yourself:Adding a single secret interactively
For adding one key at a time, useironrun add. It prompts for the value with input masking so the secret never appears on screen:
TUI alternative
Runningironrun with no arguments opens the terminal control room. From there you can:
- Navigate to an environment and choose Add secret to add a single value with a masked prompt
- Choose Import to walk through the same key-name preview and confirmation flow as
ironrun import
Requirements and restrictions
- Source files must be owner-only (
chmod 600). ironrun refuses files readable by group or others. - Source files must not be inside the project directory if they are group/other-readable.
- Imports accept standard
KEY=valuedotenv format, one entry per line.
What ironrun stores
Encrypted bytes live in~/.ironrun/vaults/ — outside your repository and never committed to git. Each environment has a rotating data key wrapped by a project root key stored in the native OS credential manager (Keychain on macOS, Secret Service on Linux). Project metadata under .ironrun/ contains no secret values.
ironrun env export (or env export in the TUI) writes only a KEY= template file — key names with empty values. It never exports plaintext secret values. Use it to share the shape of an environment without sharing any credentials.