Security Practices

We handle client infrastructure. Security isn’t optional.

1Password

We use 1Password as our central security tool. It handles passwords, secrets, SSH keys, and commit signing. You’ll receive an invitation to the team vault.

Install

brew install --cask 1password
brew install --cask 1password-cli

Enable the 1Password CLI integration in 1Password > Settings > Developer > Integrate with 1Password CLI.

SSH Agent

1Password has a built-in SSH agent. Instead of managing keys manually, let 1Password handle it.

Enable it:

Open 1Password > Settings > Developer
Turn on Use the SSH agent
Turn on Authorize SSH keys for Git operations

Configure your SSH config (~/.ssh/config):

Host *
  IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Create an SSH key in 1Password:

In 1Password, create a new SSH Key item
Choose Ed25519 as the key type
Give it a title like “GitHub - Work”
Copy the public key

Add to GitHub:

Go to GitHub SSH Keys
Add the public key as both an Authentication Key and a Signing Key

When you git push or ssh to a server, 1Password will prompt for biometric approval. No more ssh-add or managing key files.

Commit Signing with SSH via 1Password

Use the same SSH key stored in 1Password to sign your commits:

# Use SSH for commit signing
git config --global gpg.format ssh

# Point to the 1Password SSH agent signing program
git config --global gpg.ssh.program "/Applications/1Password.app/Contents/MacOS/op-ssh-sign"

# Set your signing key (paste your public key from 1Password)
git config --global user.signingkey "ssh-ed25519 AAAA..."

# Sign all commits and tags by default
git config --global commit.gpgsign true
git config --global tag.gpgsign true

Every commit will now be signed via 1Password with biometric approval. No GPG keychain to manage, no passphrase to remember.

Verify it works:

echo "test" | ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n test 2>/dev/null || echo "Using 1Password agent"
git commit --allow-empty -m "test: verify commit signing"
git log --show-signature -1

Your commits will show as “Verified” on GitHub.

CLI Integration

The 1Password CLI lets you inject secrets into commands without exposing them:

# Sign in (or use biometric unlock)
eval $(op signin)

# Reference a secret from 1Password
export API_KEY=$(op read "op://Private/API Key/credential")

# Or use op run to inject into a command
op run --env-file=.env.1p -- bun run dev

Plugin for AWS, GitHub, etc.

1Password can manage CLI credentials for cloud tools:

# Set up the 1Password shell plugin for AWS
op plugin init aws

# Now aws commands authenticate through 1Password
aws sts get-caller-identity

Supported plugins include AWS, GitHub CLI, Stripe, and more. See op plugin list for the full list.

.env Files

Never commit .env files. Use .env.example with placeholder values:

# .env.example
DATABASE_URL=postgresql://user:password@localhost:5432/dbname
API_KEY=your-api-key-here

For local development, create .env from the example and fill in real values from 1Password. Or better, use op run with a .env.1p file that references 1Password items directly:

# .env.1p
DATABASE_URL=op://Development/Database/connection-string
API_KEY=op://Development/API/credential

op run --env-file=.env.1p -- bun run dev

Two-Factor Authentication

Enable 2FA on everything. No exceptions.

GitHub - Required for org membership
AWS - Required for all IAM users
Azure / GCP - Required where available
1Password - Your master password + biometric

Use 1Password to store TOTP codes, or a hardware key (YubiKey) for critical accounts. Avoid SMS-based 2FA.

YubiKeys

We keep a stock of YubiKeys available for the team. If you need one for 1Password, AWS, GitHub, or other critical infrastructure, ask your team lead. We’ll get one shipped to you.

YubiKeys are recommended for:

1Password - use as a hardware security key for your vault
AWS root accounts - hardware MFA for root access
GitHub - passkey or security key authentication
Any client system that supports FIDO2/WebAuthn

Once you have your YubiKey, register it with your accounts as a security key. Always register at least two methods (YubiKey + 1Password TOTP) so you’re not locked out if you lose the key.

Secrets in Code

What NOT to commit

API keys, tokens, passwords
.env files with real values
Private keys or certificates
Client credentials or connection strings
Terraform state files containing secrets

Detection Tools

We run detect-secrets and trufflehog to catch accidental commits:

# Scan for secrets in current directory
detect-secrets scan

# Scan git history for leaked secrets
trufflehog git file://. --only-verified

Set up a pre-commit hook to scan before every commit:

# Using prek or pre-commit
detect-secrets-hook --baseline .secrets.baseline

git-crypt for Encrypted Files

Some repos use git-crypt to encrypt specific files in the repo:

brew install git-crypt

# Unlock an existing repo (requires GPG key added to the repo)
git-crypt unlock

age for File Encryption

For one-off file encryption, use age:

# Encrypt
age -r age1... secret.txt > secret.txt.age

# Decrypt
age -d -i key.txt secret.txt.age > secret.txt

AWS Credentials

Never store long-lived AWS credentials in plain text. Use one of:

aws-vault (recommended) - stores credentials in your OS keychain:

brew install --cask aws-vault

# Add credentials
aws-vault add staging

# Run a command with temporary credentials
aws-vault exec staging -- terraform plan

AWS SSO - if the client uses IAM Identity Center:

aws sso login --profile client-staging

Client Security

When working on client projects:

Keep client data isolated. Don’t mix client credentials or data across projects.
Use separate AWS profiles per client.
Follow the client’s security policies in addition to ours.
Report incidents immediately. If you suspect a credential leak or breach, tell your team lead right away. Speed matters.
Clean up when you’re done. Revoke temporary credentials and remove local secrets when you roll off a project.

Next Steps

Continue to macOS for Developers to configure your system defaults.