Show HN: Dotenv Mask Editor: No more embarrassing screen leaks of your .env

Hi HN,

I built this because I often work in coworking spaces or do screen sharing, and I've always had this fear of accidentally flashing my .env file with production secrets to the whole room (or recording).

It’s a simple VS Code extension that opens .env files in a custom grid editor. It automatically masks any value longer than 6 characters so I can safely open the file to check keys without exposing the actual secrets.

It runs 100% locally with zero dependencies (I know how sensitive these files are). It just reads the file, renders the grid, and saves it back as standard text.

It's open source (MIT) and I'd love any feedback on the masking logic or other features that would make it safer to use.

Marketplace: https://marketplace.visualstudio.com/items?itemName=xinbenlv... Github https://github.com/xinbenlv/dotenv-mask-editor

marketplace.visualstudio.com

18 points

xinbenlv

12 hours ago

23 comments

esperent 6 hours ago

I recently got a phone with a high zoom level - once you factor in digital zooming it's 20x. The photo quality at that zoom level is trash, but it absolutely could be used to read text from people's laptop screens from across a big room, or even another building through a window.

Of course, real cameras have always had this kind of zoom level. The difference is that now, someone could appear to be browsing on their phone from very far away, but actually be reading text on your laptop screen.

It's much more likely they'll be looking for credit card details or something like that rather than .env secrets. But I guess it's better safe than sorry if you frequently work in a public, tech focused environment like a big coworking space.

We're talking someone sitting with their phone 50 meters away from you being able to read text on your laptop screen. That's about the distance where a person with good vision will struggle to recognize faces.

  • verdverm 6 hours ago

    Would they need something to help with stabilization at that zoom and distance?

    • esperent 3 hours ago

      Like sitting at a table and resting their phone on it, sure.

__MatrixMan__ 7 hours ago

I recently made this as a component in a larger project https://gist.github.com/MatrixManAtYrService/7fc7fb05474d971...

The idea is that even if you can't see the full data for some reason (space constraints, in my case), different values will appear styled differently even if the non-hidden characters don't differ.

I'm not sure how easy/hard vscode makes this, bit it might be fun to use a hash of the secret (salted by that character's index) to determine the back/foreground colors of the *'s

That way even though you can't see the secret, you can tell that it has changed. Also you're in a position to notice if two hidden secrets are the same (this might clue the user into a mistake, like if they didn't actually copy what they think they copied and are instead pasting the previous thing.

dietr1ch 6 hours ago

> I've always had this fear of accidentally flashing my .env file with production secrets to the whole room (or recording).

Can't you just intersperse entries with multiple-screens-worth of blank lines, or add noisy variables?

I'm thinking that 120 blank lines at the beginning and the end might be enough though, no need to make the file really hard to use.

electromech 3 hours ago

or, don't put secrets in .env files...

globular-toast 5 hours ago

Why would you have "production secrets" in a .env file in the first place? I feel like that's the real problem here.

  • xinbenlv 5 hours ago

    We use infiscial and other mechanism but hey, wouldn't it be nice to have one less square inch of attack surface?

    • globular-toast 3 hours ago

      Why not have one less square mile of attack surface by not having secrets in a .env file in the first place?

      What are people doing that requires something like this?

      • pjjpo an hour ago
        2 more

        I think it's common to have dev not production secrets there, and am reading the blurb about production secrets as non-local secrets. Even dev keys are a pain if they get leaked.

        The idea seems nice with a simple yet effective implementation. While I think I currently have a shell script syntax highlight plugin reading env files, it's definitely overkill. Now if only this could protect from random npm packages reading your env files...

        • dissent an hour ago

          This implies there's some kind of shared resource out there on the network that your devs are developing on. Why not make all these resources part of your local dev stack, served on localhost, and use dummy credentials? You can even commit them because they're not sensitive.

svgeek 7 hours ago

OMG,I wish I had this years ago!

  • xinbenlv 6 hours ago

    Thanks, glad you liked it!

theozero 11 hours ago

Better than masking them in a file, get them out of the file entirely! Pull them declaratively instead - https://varlock.dev

This tool also redacts from your logs if working in js.

  • NewJazz 6 hours ago

    What does this offer that a scriptlet that sets the envvars doesn't?

  • xinbenlv 9 hours ago

    [dead]

    • nonethewiser 7 hours ago

      Bravo Founder and CEO of Namefi, but the DNS seems to resolve just fine. Do you understand the DNS space? Perhaps you could find out more using this little side project I've been working on: https://www.google.com/.

      • theozero 6 hours ago
        2 more

        yeah for our DNS we use a little provider called... Cloudflare.

        But hey some tokenized crypto dns provider is probably much more reliable! lol

        • xinbenlv 6 hours ago

          Exactly, exactly

      • xinbenlv 6 hours ago

        Haha thanks my friend, well said.