> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ironrun.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Import .env Files into ironrun's Encrypted Secret Vault

> Import credentials from existing .env files into ironrun's encrypted vault using ironrun import. Keys are previewed; values are never displayed.

`ironrun import` reads an existing `.env` file and stores its values in the encrypted vault — showing only key names during the preview, never values. After import, secrets live in `~/.ironrun/vaults/` under per-environment AES-256-GCM encryption, and the source file can be deleted or gitignored.

## Importing from a .env file

<Steps>
  <Step title="Make the .env owner-only">
    ironrun refuses to read files that are group- or world-readable. Set permissions before importing:

    ```bash theme={null}
    chmod 600 .env
    ```

    This also prevents other processes on the machine from reading the file while you work.
  </Step>

  <Step title="Run the import">
    ```bash theme={null}
    ironrun import .env
    ```

    ironrun reads the file and displays the **key names only** — no values are shown. You'll see something like:

    ```
    Import into dev (values hidden): DATABASE_URL, OPENAI_API_KEY, RESEND_API_KEY, SENTRY_DSN, STRIPE_SECRET_KEY

    Encrypt these keys? [y/N]
    ```

    Confirm with `y`. ironrun encrypts each value, verifies the encrypted copy, and rolls back if any step fails.
  </Step>

  <Step title="Verify the import">
    Check that all keys landed in the active environment:

    ```bash theme={null}
    ironrun status
    ```

    or list environments and their key names:

    ```bash theme={null}
    ironrun envs
    ```

    Both commands show key names only — values are never displayed.
  </Step>

  <Step title="Remove or gitignore the source file">
    ironrun does **not** delete the plaintext `.env` for you. Once you've verified the import, handle the source file yourself:

    ```bash theme={null}
    # Option A — delete it
    rm .env

    # Option B — keep it locally but exclude from git
    echo ".env" >> .gitignore
    ```

    ironrun continues to warn you while the plaintext source file remains on disk.
  </Step>
</Steps>

## Adding a single secret interactively

For adding one key at a time, use `ironrun add`. It prompts for the value with input masking so the secret never appears on screen:

```bash theme={null}
ironrun add OPENAI_API_KEY
# Enter value for OPENAI_API_KEY: ••••••••••••••••
# Saved OPENAI_API_KEY in dev. Value is never displayed.
```

## TUI alternative

Running `ironrun` with no arguments opens the terminal control room. From there you can:

* Navigate to an environment and choose **Add secret** to add a single value with a masked prompt
* Choose **Import** to walk through the same key-name preview and confirmation flow as `ironrun import`

The TUI never offers a reveal, clipboard-copy, or plaintext-export action.

## Requirements and restrictions

* Source files must be **owner-only** (`chmod 600`). ironrun refuses files readable by group or others.
* Source files must not be inside the project directory if they are group/other-readable.
* Imports accept standard `KEY=value` dotenv format, one entry per line.

## What ironrun stores

Encrypted bytes live in `~/.ironrun/vaults/` — outside your repository and never committed to git. Each environment has a rotating data key wrapped by a project root key stored in the native OS credential manager (Keychain on macOS, Secret Service on Linux). Project metadata under `.ironrun/` contains no secret values.

<Warning>
  ironrun does **not** delete the plaintext `.env` file after import — it warns while the source file remains on disk. Delete it or add it to `.gitignore` yourself after verifying the import succeeded.
</Warning>

<Note>
  `ironrun env export` (or `env export` in the TUI) writes only a `KEY=` template file — key names with empty values. It never exports plaintext secret values. Use it to share the shape of an environment without sharing any credentials.
</Note>
