diff --git a/.gitignore b/.gitignore
index 51573bb983b305894841efeebe17ec6ec6cee9d9..495a93b7feb55e3e9f38ffb64b99f5a29e0cf1cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,4 +24,5 @@ _testmain.go
 *.test
 *.prof
 
+.env
 vaultenv
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..431a2675b54a3b2ddd47ec998010ae958b74cd2a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,38 @@
+# Vault Environment Tool
+
+The following example sets up a policy with read-only access to secrets, and an 'lts' role that has a token ttl of 10 years.
+
+
+```
+> vault policy-write secret-ro acl.hcl
+> vault write /auth/token/roles/lts allowed_policies="secret-ro" period="87600h"
+> vault token-create -role lts
+
+Key            	Value
+---            	-----
+token          	15958ab2-0e1a-3264-ff47-6963ed45aa68
+token_accessor 	815f1db5-2fd0-2471-e233-faf6fc9718c9
+token_duration 	87600h0m0s
+token_renewable	true
+token_policies 	[default secret-ro]
+
+> export VAULT_TOKEN=15958ab2-0e1a-3264-ff47-6963ed45aa68
+> vault read auth/token/lookup-self
+
+Key             	Value
+---             	-----
+accessor        	815f1db5-2fd0-2471-e233-faf6fc9718c9
+creation_time   	1478099538
+creation_ttl    	315360000
+display_name    	token
+explicit_max_ttl	0
+id              	15958ab2-0e1a-3264-ff47-6963ed45aa68
+meta            	<nil>
+num_uses        	0
+orphan          	false
+path            	auth/token/create/lts
+policies        	[default secret-ro]
+renewable       	true
+role            	lts
+ttl             	315359676
+```
diff --git a/acl.hcl b/acl.hcl
new file mode 100644
index 0000000000000000000000000000000000000000..03dcb466bdcc0d9efce82ff3603d16c758ddfb02
--- /dev/null
+++ b/acl.hcl
@@ -0,0 +1,3 @@
+path "secret/*" {
+  policy = "read"
+}
diff --git a/cmd/read.go b/cmd/read.go
index fd179953b01f35a7918857a1bc5bb13a339fb166..33cc960e6377c6c1a0cd500b5a6f8cc1d198bcf6 100644
--- a/cmd/read.go
+++ b/cmd/read.go
@@ -4,10 +4,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
 
 	"gitlab.hedenstroem.com/go/vaultenv/vault"
 
+	"strconv"
+
+	"strings"
+
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -24,7 +27,10 @@ var readCmd = &cobra.Command{
 		if data != nil {
 			if viper.GetBool("shell") {
 				for k, v := range data {
-					fmt.Printf("%s=%s; export %s;\n", strings.ToUpper(k), v, strings.ToUpper(k))
+					qv := strconv.QuoteToASCII(v.(string))
+					qv = strings.Replace(qv, "'", "\\x27", -1)
+					qv = qv[1 : len(qv)-1]
+					fmt.Printf("%s=$'%s'; export %s;\n", k, qv, k)
 				}
 			} else {
 				b, _ := json.MarshalIndent(data, "", "\t")
diff --git a/cmd/write.go b/cmd/write.go
index 74e4bc7569dd9a3a6fc74252269ebef72c358ab2..4c5fae49a4968a415ae9697a0b5cf8c982a77e9d 100644
--- a/cmd/write.go
+++ b/cmd/write.go
@@ -2,6 +2,8 @@ package cmd
 
 import (
 	"errors"
+	"io/ioutil"
+	"os"
 
 	"github.com/spf13/cobra"
 	"gitlab.hedenstroem.com/go/vaultenv/vault"
@@ -12,12 +14,21 @@ var writeCmd = &cobra.Command{
 	Short: "write Short",
 	Long:  `write Long`,
 	RunE: func(cmd *cobra.Command, args []string) (err error) {
-		if len(args) != 3 {
-			return errors.New("Expected 3 arguments")
+		if len(args) < 2 {
+			return errors.New("Expected at least 2 arguments")
 		}
 		data, err := vault.GetSecret(args[0])
 		if data != nil {
-			data[args[1]] = args[2]
+			if len(args) == 2 {
+				var b []byte
+				b, err = ioutil.ReadAll(os.Stdin)
+				if err != nil {
+					return
+				}
+				data[args[1]] = string(b)
+			} else {
+				data[args[1]] = args[2]
+			}
 			err = vault.PostSecret(args[0], data)
 		}
 		return