Envoy

Share .env files securely, no browser, no copy-paste.

Envoy encrypts your credentials end-to-end and turns them into a one-time link, all without leaving VS Code.

How it works

Sender (you):

Envoy sender demo

Right-click any .env file in the Explorer
Pick expiration time, toggle delete-after-reading, and set an optional password
An encrypted link is copied to your clipboard, web link or VS Code deep link

Receiver (your teammate):

Envoy receiver demo

VS Code deep link: click the vscode:// link to open the note directly, no Command Palette needed
Web link: run Envoy: Open Note from the Command Palette, paste the URL, enter the password if prompted

The decrypted content opens as an untitled file, never auto-saved.

No Envoy? No problem, the link also works in any browser at enclosed.cc.

Security

The encryption key lives only in the link fragment, it is never sent to the server
Share the link through a private channel (DM, encrypted chat), never in a public thread
Notes are ephemeral: by default they self-destruct after the first read
No account required, no data retained beyond the note's TTL

Envoy uses AES-256-GCM encryption with PBKDF2 key derivation, the same parameters as the Enclosed web app.

A note on trust

Encryption and decryption happen inside Envoy using the VS Code runtime's native Web Crypto, so the instance (enclosed.cc by default) only ever stores an encrypted blob, it cannot read your file.

That guarantee holds as long as both sides use Envoy. If a recipient opens a web link in a browser instead, they download and run decryption JavaScript served by the instance. A compromised or malicious instance could serve code that exfiltrates the key from the link fragment, this is an inherent limitation of any browser-based "client-side" encryption, not specific to Envoy. For this reason Envoy copies the VS Code deep link by default, keeping decryption inside the extension. Enable envoy.shouldCopyEnclosedUrl only when you accept that trust trade-off, or self-host the instance so the served code is yours.

Configuration

Setting	Default	Description
`envoy.enclosedInstanceUrl`	`https://enclosed.cc`	Enclosed instance to use
`envoy.defaultTtl`	`86400` (1 day)	Default link expiration, in seconds
`envoy.defaultDeleteAfterReading`	`true`	Destroy note after first read
`envoy.shouldCopyEnclosedUrl`	`false`	Copy VS Code deep link to clipboard; enable to copy the web link instead

Access via Settings → Extensions → Envoy or add to your settings.json.

Self-hosting

To point Envoy to your own Enclosed instance:

Open Settings → Extensions → Envoy → Instance URL (envoy.enclosedInstanceUrl)
Set it to your instance, e.g. https://notes.mycompany.com

For self-hosting Enclosed itself, see the Enclosed documentation.

About

Envoy uses Enclosed as its backend by default. Enclosed is an independent open-source project by @CorentinTh, not affiliated with this extension.

Icon credits: see ATTRIBUTION.md.

Envoy - Secure .env sharing

Eduardo Guedes