Adding Hidden Environment Variables

Environment variables make your scripts flexible and reusable across different devices and scenarios. When you mark a variable as hidden, it receives extra protection; however, it is important to understand what that means.

What does Hidden mean?

Hidden variables offer several layers of protection, but they are not completely inaccessible. Here is how they behave:

• They are encrypted when stored in KACE Cloud and on devices.
• They are masked in the UI and in logs.
• They are not visible to regular users.

However, during script execution, the variable must be decrypted and passed in plain text to the script interpreter. This means:

• Advanced users with device-level access (such as local admins or root users) may be able to view the variable.
• If the script runs as the current user, that user can see the variable.

Best Practices for using Hidden variables

To help protect sensitive data stored in hidden variables, follow these recommended practices:

• Use short-lived credentials that expire quickly.
• Scope API keys to only the permissions needed.
• Avoid storing highly sensitive data unless necessary.
• Review device access to ensure only trusted users have admin rights.