Import from 1Password
kovra import copies a credential from 1Password into the vault as a
literal — a one-time copy, not a live link. kovra reads the value once through
the op CLI, seals it, and keeps no relationship to 1Password afterward. From
then on the secret is governed entirely by kovra.
Import a value
Section titled “Import a value”Point --from at a 1Password secret reference (op://<vault>/<item>/<field>).
The value is read once and sealed; only the op:// address ever touches argv,
and the value is never printed:
~ % kovra import secret:dev/db/password --from op://Personal/db/passwordImported dev/db/password from 1Password (Medium) — value stored, not shown.Windows — coming soon. The same model on Windows Hello + Credential Manager.
A prod coordinate is born high, same as any other secret. This requires the
op CLI installed and signed in — kovra shells out to op read to fetch the
value.
A copy, not a reference
Section titled “A copy, not a reference”Import is deliberately a copy: after it runs, the value lives in your kovra vault under kovra’s policy, with no dependency on 1Password staying reachable or signed in. That’s the opposite of a cloud reference, which keeps the value in the provider and resolves it live each time.
Reach for import when you want to bring an existing secret under kovra’s governance once; reach for a reference when the cloud manager should remain the source of truth.