Skip to content
| Marketplace
Sign in
Visual Studio Code>Other>Custos — .env GuardianNew to Visual Studio Code? Get it now.
Custos — .env Guardian

Custos — .env Guardian

MrFOMO

|
2 installs
| (2) | Free
Smart .env safety, drift detection, and peer-to-peer encrypted key sharing
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

EnvGuard

Smart .env safety, drift detection, and peer-to-peer end-to-end encrypted key sharing — right inside VS Code.

Features

  • Drift detection — flags keys that exist in .env.example but are missing from your .env (and vice-versa) in the Problems panel.
  • Secret scanner — warns when API keys, tokens, or private keys are hard-coded in source files instead of .env.
  • Usage tracer — Cmd/Ctrl+Click a process.env.KEY to jump to its .env definition; hover a .env key to see every file that uses it.
  • Encrypted key sharing — share selected .env values with a teammate using their GitHub SSH identity. Keys are encrypted client-side with X25519 + XChaCha20-Poly1305; the relay server only ever sees ciphertext.
  • .env.example sync — one command to add missing (redacted) keys to your example file.

Commands

Command Description
EnvGuard: Share Keys Securely Open the share panel to send encrypted keys
EnvGuard: Receive Shared Keys Import keys from a share link
EnvGuard: Compare Env Files Compare two or more env files
EnvGuard: Sync .env.example Add missing keys to .env.example

Configuration

Setting Default Description
envguard.relayUrl https://relay.envguard.dev Relay server URL for encrypted sharing
envguard.enableSecretScanner true Warn on secrets in non-.env files
envguard.secretTTLMinutes 10 Minutes before a shared link expires

Security model

  • The relay stores only ciphertext and never sees plaintext values.
  • Share links are one-time (deleted on first read) and expire after 10 minutes.
  • A fresh ephemeral key pair is used per message, providing forward secrecy.
  • Recipient identity is bootstrapped from their public GitHub ed25519 SSH key.

MVP note: the recipient's X25519 private key is entered manually via a password input. vscode.SecretStorage integration lands in v0.2 before any public release.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft