diff --git a/lib/kamal/cli/main.rb b/lib/kamal/cli/main.rb
index b1f01238..f5ad8397 100644
--- a/lib/kamal/cli/main.rb
+++ b/lib/kamal/cli/main.rb
@@ -148,9 +148,16 @@ class Kamal::Cli::Main < Kamal::Cli::Base
       puts "Created configuration file in config/deploy.yml"
     end
 
-    unless (deploy_file = Pathname.new(File.expand_path(".env"))).exist?
-      FileUtils.cp_r Pathname.new(File.expand_path("templates/template.env", __dir__)), deploy_file
-      puts "Created .env file"
+    unless (secrets_file = Pathname.new(File.expand_path(".kamal/secrets"))).exist?
+      FileUtils.mkdir_p secrets_file.dirname
+      FileUtils.cp_r Pathname.new(File.expand_path("templates/secrets", __dir__)), secrets_file
+      puts "Created .kamal/secrets file"
+
+      gitignore = Pathname.new(File.expand_path(".gitignore"))
+      if gitignore.exist? && !gitignore.read.include?(".kamal/secrets")
+        gitignore.open("a") { |f| f.puts "\n.kamal/secrets*" }
+        puts "Added .kamal/secrets* to .gitignore"
+      end
     end
 
     unless (hooks_dir = Pathname.new(File.expand_path(".kamal/hooks"))).exist?
diff --git a/lib/kamal/cli/templates/secrets b/lib/kamal/cli/templates/secrets
new file mode 100644
index 00000000..cfa312ef
--- /dev/null
+++ b/lib/kamal/cli/templates/secrets
@@ -0,0 +1,6 @@
+# SECRETS=$(kamal secrets --adapter 1password --from Vault/Item Section1/KAMAL_REGISTRY_PASSWORD Section2/RAILS_MASTER_KEY)
+# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
+# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
+
+KAMAL_REGISTRY_PASSWORD=change-this
+RAILS_MASTER_KEY=another-env
diff --git a/lib/kamal/cli/templates/template.env b/lib/kamal/cli/templates/template.env
deleted file mode 100644
index 89411448..00000000
--- a/lib/kamal/cli/templates/template.env
+++ /dev/null
@@ -1,2 +0,0 @@
-KAMAL_REGISTRY_PASSWORD=change-this
-RAILS_MASTER_KEY=another-env
diff --git a/test/cli/main_test.rb b/test/cli/main_test.rb
index c742afe9..43e24ced 100644
--- a/test/cli/main_test.rb
+++ b/test/cli/main_test.rb
@@ -384,40 +384,40 @@ class CliMainTest < CliTestCase
   end
 
   test "init" do
-    Pathname.any_instance.expects(:exist?).returns(false).times(3)
-    Pathname.any_instance.stubs(:mkpath)
-    FileUtils.stubs(:mkdir_p)
-    FileUtils.stubs(:cp_r)
-    FileUtils.stubs(:cp)
+    in_dummy_git_repo do
+      run_command("init").tap do |output|
+        assert_match "Created configuration file in config/deploy.yml", output
+        assert_match "Created .kamal/secrets file", output
+        assert_match "Added .kamal/secrets* to .gitignore", output
+      end
 
-    run_command("init").tap do |output|
-      assert_match /Created configuration file in config\/deploy.yml/, output
-      assert_match /Created \.env file/, output
+      assert_file "config/deploy.yml", "service: my-app"
+      assert_file ".kamal/secrets", "KAMAL_REGISTRY_PASSWORD=change-this"
+      assert_file ".gitignore", %r{\n.kamal/secrets\*\n}
     end
   end
 
   test "init with existing config" do
-    Pathname.any_instance.expects(:exist?).returns(true).times(3)
+    in_dummy_git_repo do
+      run_command("init")
 
-    run_command("init").tap do |output|
-      assert_match /Config file already exists in config\/deploy.yml \(remove first to create a new one\)/, output
+      run_command("init").tap do |output|
+        assert_match /Config file already exists in config\/deploy.yml \(remove first to create a new one\)/, output
+        assert_no_match /Added .kamal\/secrets/, output
+      end
     end
   end
 
   test "init with bundle option" do
-    Pathname.any_instance.expects(:exist?).returns(false).times(4)
-    Pathname.any_instance.stubs(:mkpath)
-    FileUtils.stubs(:mkdir_p)
-    FileUtils.stubs(:cp_r)
-    FileUtils.stubs(:cp)
-
-    run_command("init", "--bundle").tap do |output|
-      assert_match /Created configuration file in config\/deploy.yml/, output
-      assert_match /Created \.env file/, output
-      assert_match /Adding Kamal to Gemfile and bundle/, output
-      assert_match /bundle add kamal/, output
-      assert_match /bundle binstubs kamal/, output
-      assert_match /Created binstub file in bin\/kamal/, output
+    in_dummy_git_repo do
+      run_command("init", "--bundle").tap do |output|
+        assert_match "Created configuration file in config/deploy.yml", output
+        assert_match "Created .kamal/secrets file", output
+        assert_match /Adding Kamal to Gemfile and bundle/, output
+        assert_match /bundle add kamal/, output
+        assert_match /bundle binstubs kamal/, output
+        assert_match /Created binstub file in bin\/kamal/, output
+      end
     end
   end
 
@@ -523,4 +523,18 @@ class CliMainTest < CliTestCase
         stdouted { Kamal::Cli::Main.start }
       end
     end
+
+    def in_dummy_git_repo
+      Dir.mktmpdir do |tmpdir|
+        Dir.chdir(tmpdir) do
+          `git init`
+          `echo '/.bundle\n/log/*\n/tmp/*' > .gitignore`
+          yield
+        end
+      end
+    end
+
+    def assert_file(file, content)
+      assert_match content, File.read(file)
+    end
 end