Hiding sensitive lines in Proxmox Notes with HTML comments is a handy trick when I want short-term secrets out of the rendered UI without deleting them from the config. Proxmox Notes render HTML, so text wrapped in an HTML comment, <!-- secret here -->, does not appear in the rendered Notes panel. That keeps the visible notes cleaner and keeps temporary values out of plain sight, but it is not a security boundary. Treat it as convenience, not storage.
To use it, open the VM or container Notes field in the Proxmox web UI and paste the text you want to hide inside standard HTML comment tags. For example:
<!-- root password: P@ssw0rd123 -->The visible part of the Notes box will omit that line when rendered. The editor still shows the comment, and the raw configuration that Proxmox stores will contain the text. I keep the comment short and clear so it is easy to spot in the editor. Use plain ASCII inside comments to avoid odd rendering quirks.
Practical uses are simple. Put one-time passwords, temporary API keys, or short maintenance commands inside comments so they do not end up in screenshots or quick glances. Keep longer documentation or visible notes outside comments so colleagues can read the instructions without opening the editor. A pattern I use is a visible header followed by hidden details:
Maintenance notes: reboot steps below<!-- temp password: ChangeMeOnce -->That keeps the workflow clear while hiding the secret. For quick audits, search the VM or container config or open the Notes editor; the hidden lines are still there for anyone with editor access. I tag them clearly, for example HIDDEN: or SECRET:, so they stand out when I review them later.
Security still comes first. Do not rely on HTML comments as a security control. Comments are stored in the Proxmox configuration and are visible to anyone with enough privileges or filesystem access. Restrict access to the Proxmox UI with strong accounts and two-factor authentication. Use a proper secret store or password manager for credentials you need to keep long term. When I put a credential into a comment, I treat it as temporary: rotate or remove it after the task, and move the secret into a vault if it needs to stay around. I also note where the real secret lives instead of leaving the comment as the only record.
Keep the notes tidy and easy to audit. Use a consistent tagging scheme and a short comment prefix so a grep or config scan finds them quickly. For example, prefix comments with SECRET:VMID or TEMP:. That gives you a precise search string to locate accidental secrets. Avoid embedding full passwords in large blocks of text. If you need to include command snippets, redact the secret and add a vault reference, for example SECRET_REF: vault://vm-42/root. Set a simple housekeeping routine too: check notes for commented secrets after maintenance, rotate any temporary passwords, and remove comments you no longer need.
HTML comments in Proxmox Notes hide text from the rendered panel and keep the visible UI tidy. The editor and stored config still contain the commented text, so do not treat comments as secure storage. Use them for short-lived convenience only, tag them so they are easy to find, and move lasting secrets into a proper password manager or vault.
