GuideJanuary 19, 20276 min read

ConfigSync + 1Password: The Complete Secrets Workflow

Store your synced secrets in 1Password vaults. Get 1Password's sharing, 2FA, and access logs layered on top of ConfigSync's encrypted sync.

Two Tools, One Workflow

ConfigSync and 1Password solve adjacent problems. ConfigSync syncs your development environment across machines: editor settings, shell config, SSH keys, and environment variables. 1Password manages passwords and secrets with a focus on sharing, access control, and audit logging. When you combine them, you get the best of both worlds.

By setting 1Password as your ConfigSync secrets provider, secrets flow through 1Password's infrastructure instead of ConfigSync's built-in encrypted storage. This means you get 1Password's vault sharing with teammates, biometric unlock, hardware key support, and detailed access logs, all while ConfigSync handles the sync workflow.

Setting Up the Integration

The integration uses the 1Password CLI (op) under the hood. ConfigSync talks to op to store and retrieve secrets from your 1Password vault.

Install and configure

# Step 1: Install the 1Password CLI $ brew install --cask 1password-cli # Step 2: Sign in to 1Password CLI $ op signin # Step 3: Set 1Password as your ConfigSync secrets provider $ configsync config set secrets.provider 1password # Step 4: Optionally specify a vault (default: "Private") $ configsync config set secrets.1password.vault "Development" # Verify the integration $ configsync config get secrets.provider 1password

The 1Password CLI integrates with 1Password's desktop app for biometric unlock. Once connected, you can authenticate with Touch ID or Windows Hello instead of typing your master password.

Storing Secrets via ConfigSync

Once configured, configsync secret set stores secrets in your 1Password vault instead of the local encrypted store. The interface is identical; only the backend changes.

Store and retrieve secrets

# Store a secret (goes to 1Password vault) $ configsync secret set DB_PASSWORD Enter value: ******** Stored DB_PASSWORD in 1Password vault "Development". # Retrieve a secret $ configsync secret get DB_PASSWORD Fetching from 1Password... done. (value copied to clipboard) # List all ConfigSync secrets in 1Password $ configsync secret list Name Provider Vault ──── ──────── ───── DB_PASSWORD 1password Development AWS_ACCESS_KEY_ID 1password Development STRIPE_SECRET_KEY 1password Development GITHUB_TOKEN 1password Development

How Secrets Flow Between Machines

When you push from Machine A, ConfigSync tells 1Password to store the secret. When you pull on Machine B, ConfigSync uses the 1Password CLI to retrieve it. The secret never passes through ConfigSync's servers at all.

Sync flow with 1Password

# Machine A: Push secrets $ configsync push -m "Updated API keys" Syncing secrets via 1Password... ✓ DB_PASSWORD (vault: Development) ✓ STRIPE_SECRET_KEY (vault: Development) Pushed config snapshot (1.2 MB). # Machine B: Pull secrets $ configsync pull Pulling config snapshot... Fetching secrets from 1Password... ✓ DB_PASSWORD (from vault: Development) ✓ STRIPE_SECRET_KEY (from vault: Development) Restored 24 configs + 4 secrets.

Why Use 1Password Instead of Built-in Encryption

ConfigSync's built-in secrets provider (Fernet/AES encryption with a master password) is secure and works well for individual developers. The 1Password integration adds features that matter for teams and security-conscious users:

Feature	Built-in Provider	1Password Provider
Encryption	AES-256-GCM	AES-256-GCM (1Password)
Sharing	Via ConfigSync team features	Via 1Password vault sharing
2FA / Biometrics	Master password only	Touch ID, hardware keys, TOTP
Access logs	Snapshot history	Detailed per-secret access logs
Offline access	Yes (local cache)	Yes (1Password local cache)
Recovery	Master password	1Password account recovery
Cost	Free	Requires 1Password subscription

Team Workflows

The combination is especially powerful for teams. A team lead can share a 1Password vault with the team. All ConfigSync secrets stored in that vault are automatically available to every team member with vault access.

Team secret sharing

# Team lead: create a shared vault # (Done in 1Password app or admin console) # Vault: "Team - Development Secrets" # Team lead: configure ConfigSync to use the shared vault $ configsync config set secrets.1password.vault "Team - Development Secrets" # Team lead: store team secrets $ configsync secret set SHARED_DB_URL $ configsync secret set SHARED_API_KEY # Team members: configure the same vault $ configsync config set secrets.provider 1password $ configsync config set secrets.1password.vault "Team - Development Secrets" # Team members: pull to get shared secrets $ configsync pull Fetching secrets from 1Password vault "Team - Development Secrets"... ✓ SHARED_DB_URL ✓ SHARED_API_KEY

When someone leaves the team, removing their access to the 1Password vault instantly revokes their access to all shared secrets. No rotation needed unless they previously copied values to their local machine.

Getting Started

If you already use 1Password and ConfigSync separately, combining them takes less than a minute. Install the 1Password CLI, sign in, and point ConfigSync at 1Password as the secrets provider. Your existing ConfigSync workflow stays the same. The only difference is where secrets are stored, and that difference buys you sharing, biometrics, and detailed access logs.

For teams evaluating secret management options, the ConfigSync + 1Password combination provides developer-friendly secret management without the overhead of a dedicated secrets platform like HashiCorp Vault. It is the right level of tooling for teams that need more than plaintext env files but less than enterprise secrets infrastructure.

Ready to try ConfigSync?

Sync your entire dev environment across machines in minutes. Free forever for up to 3 devices.

Get Started Read the Docs