diff --git a/README.md b/README.md
index d54f3e2b..f3700fab 100644
--- a/README.md
+++ b/README.md
@@ -314,6 +314,21 @@ accessories:
 
 Now run `mrsk accessory start mysql` to start the MySQL server on 1.1.1.3. See `mrsk accessory` for all the commands possible.
 
+### Using a generated .env file
+
+If you're using a centralized secret store, like 1Password, you can create `.env.erb` as a template which looks up the secrets. Example of a .env.erb file:
+
+```erb
+<% if (session_token = `op signin --account my-one-password-account --raw`.strip) != "" %># Generated by mrsk envify
+GITHUB_TOKEN=<%= `gh config get -h github.com oauth_token`.strip %>
+MRSK_REGISTRY_PASSWORD=<%= `op read "op://Vault/Docker Hub/password" -n --session  #{session_token}` %>
+RAILS_MASTER_KEY=<%= `op read "op://Vault/My App/RAILS_MASTER_SECRET" -n --session #{session_token}` %>
+MYSQL_ROOT_PASSWORD=<%= `op read "op://Vault/My App/MYSQL_ROOT_PASSWORD" -n --session #{session_token}` %>
+<% else raise ArgumentError, "Session token missing" end %>
+```
+
+This template can safely be checked into git. Then everyone deploying the app can run `mrsk envify` when they setup the app for the first time or passwords change to get the correct `.env` file.
+
 ## Commands
 
 ### Running commands on servers
diff --git a/lib/mrsk/cli/main.rb b/lib/mrsk/cli/main.rb
index 29e43c5b..1ebb9552 100644
--- a/lib/mrsk/cli/main.rb
+++ b/lib/mrsk/cli/main.rb
@@ -104,6 +104,11 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
     end
   end
 
+  desc "envify", "Create .env by evaluating .env.erb"
+  def envify
+    File.write(".env", ERB.new(IO.read(Pathname.new(File.expand_path(".env.erb")))).result)
+  end
+
   desc "remove", "Remove Traefik, app, and registry session from servers"
   def remove
     invoke "mrsk:cli:traefik:remove"