Hiding sensitive lines in Proxmox Notes using HTML comments is a neat trick I use when I want short-term secrets out of the rendered UI without deleting them from the config. Proxmox Notes render HTML, so text wrapped in an HTML comment — — does not appear in the rendered Notes panel. That makes the Notes field less noisy in screenshots and keeps temporary values out of the straight view, but it is not a security boundary. Treat it as a convenience, not a vault.
To use this, open the VM or container Notes field in the Proxmox web UI and paste the text you want to hide inside standard HTML comment tags. For example:
The visible portion of the Notes box will omit that line when rendered. The editor still shows the comment, and the raw configuration that Proxmox stores will contain the text. I keep the comment short and clear so I can spot it in the editor. Use plain ASCII inside comments to avoid unexpected rendering quirks.
Practical uses are simple and specific. Put one-time passwords, temporary API keys, or short maintenance commands inside comments to avoid them appearing in screenshots or quick glances. Keep longer documentation or visible notes outside comments so colleagues can read instructions without opening the editor. A helpful pattern I use is a visible header followed by hidden details:
That keeps the workflow clear while hiding the secret. For quick audits, search the VM/CT config or open the Notes editor; the hidden lines remain accessible to anyone with editor privileges, so tag or prefix them clearly, for example HIDDEN: or SECRET:, so they stand out when you do an audit.
Security best practices come first. Do not rely on HTML comments as a security control. Comments are stored in the Proxmox configuration and are visible to anyone with sufficient privileges or filesystem access. Make sure access to the Proxmox UI is restricted with strong accounts and two-factor authentication. Use a proper secret store or password manager for credentials you need to keep long term. When I put a credential into a comment, I treat it as ephemeral: rotate or remove it after the task, and move the secret into a vault if it must persist. Also record where the real secret lives instead of keeping only the secret in a comment.
Keep notes tidy and audit-ready. Use a consistent tagging scheme and a short comment prefix so a grep or config scan finds them quickly. For example, prefix comments with SECRET:VMID or TEMP:. That gives you a precise search string to locate accidental secrets. Avoid embedding full passwords in large blocks of text. If you must include command snippets, redact the secret and include a vault reference, for example SECRET_REF: vault://vm-42/root. Finally, set a simple housekeeping routine. Check notes for commented secrets after maintenance, rotate any temporary passwords, and remove comments you no longer need.
Takeaways: HTML comments in Proxmox Notes hide text from the rendered panel and keep the visible UI tidy. The editor and stored config still contain the commented text, so do not treat comments as secure storage. Use comments for short-lived convenience only, tag them so they are easy to find, and move lasting secrets into a proper password manager or vault.
