Share .env files securely, no browser, no copy-paste.
Envoy encrypts your credentials end-to-end and turns them into a one-time link, all without leaving VS Code.
Sender (you):
- Right-click any
.envfile in the Explorer - Pick expiration time, toggle delete-after-reading, and set an optional password
- An encrypted link is copied to your clipboard, web link or VS Code deep link
Receiver (your teammate):
- VS Code deep link: click the
vscode://link to open the note directly, no Command Palette needed - Web link: run Envoy: Open Note from the Command Palette, paste the URL, enter the password if prompted
The decrypted content opens as an untitled file, never auto-saved.
No Envoy? No problem, the link also works in any browser at enclosed.cc.
- The encryption key lives only in the link fragment, it is never sent to the server
- Share the link through a private channel (DM, encrypted chat), never in a public thread
- Notes are ephemeral: by default they self-destruct after the first read
- No account required, no data retained beyond the note's TTL
Envoy uses AES-256-GCM encryption with PBKDF2 key derivation, the same parameters as the Enclosed web app.
Encryption and decryption happen inside Envoy using the VS Code runtime's native Web Crypto, so the instance (enclosed.cc by default) only ever stores an encrypted blob, it cannot read your file.
That guarantee holds as long as both sides use Envoy. If a recipient opens a
web link in a browser instead, they download and run decryption JavaScript served
by the instance. A compromised or malicious instance could serve code that
exfiltrates the key from the link fragment, this is an inherent limitation of any
browser-based "client-side" encryption, not specific to Envoy. For this reason
Envoy copies the VS Code deep link by default, keeping decryption inside the
extension. Enable envoy.shouldCopyEnclosedUrl only when you accept that trust
trade-off, or self-host the instance so the served code is yours.
| Setting | Default | Description |
|---|---|---|
envoy.enclosedInstanceUrl |
https://enclosed.cc |
Enclosed instance to use |
envoy.defaultTtl |
86400 (1 day) |
Default link expiration, in seconds |
envoy.defaultDeleteAfterReading |
true |
Destroy note after first read |
envoy.shouldCopyEnclosedUrl |
false |
Copy VS Code deep link to clipboard; enable to copy the web link instead |
Access via Settings → Extensions → Envoy or add to your settings.json.
To point Envoy to your own Enclosed instance:
- Open Settings → Extensions → Envoy → Instance URL (
envoy.enclosedInstanceUrl) - Set it to your instance, e.g.
https://notes.mycompany.com
For self-hosting Enclosed itself, see the Enclosed documentation.
Envoy uses Enclosed as its backend by default. Enclosed is an independent open-source project by @CorentinTh, not affiliated with this extension.
Icon credits: see ATTRIBUTION.md.