diff --git a/internal/web/actions/default/clusters/grants/grant.go b/internal/web/actions/default/clusters/grants/grant.go
index f917902e..55725b82 100644
--- a/internal/web/actions/default/clusters/grants/grant.go
+++ b/internal/web/actions/default/clusters/grants/grant.go
@@ -31,7 +31,14 @@ func (this *GrantAction) RunGet(params struct {
 
 	// TODO 处理节点专用的认证
 
-	grant := grantResp.NodeGrant
+	var grant = grantResp.NodeGrant
+
+	var privateKey = grant.PrivateKey
+	const maskLength = 64
+	if len(privateKey) > maskLength+32 {
+		privateKey = privateKey[:maskLength] + strings.Repeat("*", len(privateKey)-maskLength)
+	}
+
 	this.Data["grant"] = maps.Map{
 		"id":          grant.Id,
 		"name":        grant.Name,
@@ -39,7 +46,7 @@ func (this *GrantAction) RunGet(params struct {
 		"methodName":  grantutils.FindGrantMethodName(grant.Method, this.LangCode()),
 		"username":    grant.Username,
 		"password":    strings.Repeat("*", len(grant.Password)),
-		"privateKey":  grant.PrivateKey,
+		"privateKey":  privateKey,
 		"passphrase":  strings.Repeat("*", len(grant.Passphrase)),
 		"description": grant.Description,
 		"su":          grant.Su,
diff --git a/internal/web/actions/default/clusters/grants/index.go b/internal/web/actions/default/clusters/grants/index.go
index c3ca6406..c750917d 100644
--- a/internal/web/actions/default/clusters/grants/index.go
+++ b/internal/web/actions/default/clusters/grants/index.go
@@ -27,7 +27,7 @@ func (this *IndexAction) RunGet(params struct {
 		this.ErrorPage(err)
 		return
 	}
-	page := this.NewPage(countResp.Count)
+	var page = this.NewPage(countResp.Count)
 	this.Data["page"] = page.AsHTML()
 
 	grantsResp, err := this.RPC().NodeGrantRPC().ListEnabledNodeGrants(this.AdminContext(), &pb.ListEnabledNodeGrantsRequest{
@@ -39,7 +39,7 @@ func (this *IndexAction) RunGet(params struct {
 		this.ErrorPage(err)
 		return
 	}
-	grantMaps := []maps.Map{}
+	var grantMaps = []maps.Map{}
 	for _, grant := range grantsResp.NodeGrants {
 		// 集群数
 		countClustersResp, err := this.RPC().NodeClusterRPC().CountAllEnabledNodeClustersWithNodeGrantId(this.AdminContext(), &pb.CountAllEnabledNodeClustersWithNodeGrantIdRequest{NodeGrantId: grant.Id})
@@ -47,7 +47,7 @@ func (this *IndexAction) RunGet(params struct {
 			this.ErrorPage(err)
 			return
 		}
-		countClusters := countClustersResp.Count
+		var countClusters = countClustersResp.Count
 
 		// 节点数
 		countNodesResp, err := this.RPC().NodeRPC().CountAllEnabledNodesWithNodeGrantId(this.AdminContext(), &pb.CountAllEnabledNodesWithNodeGrantIdRequest{NodeGrantId: grant.Id})
@@ -55,7 +55,7 @@ func (this *IndexAction) RunGet(params struct {
 			this.ErrorPage(err)
 			return
 		}
-		countNodes := countNodesResp.Count
+		var countNodes = countNodesResp.Count
 
 		grantMaps = append(grantMaps, maps.Map{
 			"id":   grant.Id,
diff --git a/internal/web/actions/default/clusters/grants/update.go b/internal/web/actions/default/clusters/grants/update.go
index 1f609070..8ca0c997 100644
--- a/internal/web/actions/default/clusters/grants/update.go
+++ b/internal/web/actions/default/clusters/grants/update.go
@@ -1,12 +1,14 @@
 package grants
 
-import (	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/grants/grantutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/maps"
 	"golang.org/x/crypto/ssh"
+	"strings"
 )
 
 type UpdateAction struct {
@@ -34,15 +36,23 @@ func (this *UpdateAction) RunGet(params struct {
 
 	// TODO 处理节点专用的认证
 
-	grant := grantResp.NodeGrant
+	var grant = grantResp.NodeGrant
+
+	// private key
+	var privateKey = grant.PrivateKey
+	const maskLength = 64
+	if len(privateKey) > maskLength+32 {
+		privateKey = privateKey[:maskLength] + strings.Repeat("*", len(privateKey)-maskLength)
+	}
+
 	this.Data["grant"] = maps.Map{
 		"id":          grant.Id,
 		"name":        grant.Name,
 		"method":      grant.Method,
 		"methodName":  grantutils.FindGrantMethodName(grant.Method, this.LangCode()),
 		"username":    grant.Username,
-		"password":    grant.Password,
-		"privateKey":  grant.PrivateKey,
+		"password":    strings.Repeat("*", len(grant.Password)),
+		"privateKey":  privateKey,
 		"passphrase":  grant.Passphrase,
 		"description": grant.Description,
 		"su":          grant.Su,
@@ -85,15 +95,17 @@ func (this *UpdateAction) RunPost(params struct {
 		}
 
 		// 验证私钥
-		var err error
-		if len(params.Passphrase) > 0 {
-			_, err = ssh.ParsePrivateKeyWithPassphrase([]byte(params.PrivateKey), []byte(params.Passphrase))
-		} else {
-			_, err = ssh.ParsePrivateKey([]byte(params.PrivateKey))
-		}
-		if err != nil {
-			this.Fail("私钥验证失败，请检查格式：" + err.Error())
-			return
+		if !strings.HasSuffix(params.PrivateKey, "******") /* 非掩码 */ {
+			var err error
+			if len(params.Passphrase) > 0 {
+				_, err = ssh.ParsePrivateKeyWithPassphrase([]byte(params.PrivateKey), []byte(params.Passphrase))
+			} else {
+				_, err = ssh.ParsePrivateKey([]byte(params.PrivateKey))
+			}
+			if err != nil {
+				this.Fail("私钥验证失败，请检查格式：" + err.Error())
+				return
+			}
 		}
 	default:
 		this.Fail("请选择正确的认证方式")
diff --git a/web/views/@default/clusters/grants/create.html b/web/views/@default/clusters/grants/create.html
index fd48f397..4b02a415 100644
--- a/web/views/@default/clusters/grants/create.html
+++ b/web/views/@default/clusters/grants/create.html
@@ -33,7 +33,7 @@
 			<tr>
 				<td>SSH密码</td>
 				<td><input type="password" name="password" maxlength="100"/>
-				<p class="comment">SSH登录用户密码。</p> </td>
+				<p class="comment">SSH登录用户密码。<mask-warning></mask-warning></p> </td>
 			</tr>
 		</tbody>
 
@@ -50,7 +50,7 @@
 				<td>RSA私钥 *</td>
 				<td>
 					<file-textarea name="privateKey" spellcheck="false" placeholder="填入RSA私钥内容或者拖动私钥文件到当前框中"></file-textarea>
-					<p class="comment">用来生成登录SSH公钥的私钥。</p>
+					<p class="comment">用来生成登录SSH公钥的私钥。<mask-warning></mask-warning></p>
 				</td>
 			</tr>
             <tr>
diff --git a/web/views/@default/clusters/grants/grant.css b/web/views/@default/clusters/grants/grant.css
new file mode 100644
index 00000000..5b749aa1
--- /dev/null
+++ b/web/views/@default/clusters/grants/grant.css
@@ -0,0 +1,4 @@
+.CodeMirror-wrap pre {
+  word-break: break-all !important;
+}
+/*# sourceMappingURL=grant.css.map */
\ No newline at end of file
diff --git a/web/views/@default/clusters/grants/grant.css.map b/web/views/@default/clusters/grants/grant.css.map
new file mode 100644
index 00000000..72f12ebf
--- /dev/null
+++ b/web/views/@default/clusters/grants/grant.css.map
@@ -0,0 +1 @@
+{"version":3,"sources":["grant.less"],"names":[],"mappings":"AAAA,gBAAiB;EAChB,qBAAA","file":"grant.css"}
\ No newline at end of file
diff --git a/web/views/@default/clusters/grants/grant.less b/web/views/@default/clusters/grants/grant.less
new file mode 100644
index 00000000..064509cf
--- /dev/null
+++ b/web/views/@default/clusters/grants/grant.less
@@ -0,0 +1,3 @@
+.CodeMirror-wrap pre {
+	word-break: break-all !important;
+}
\ No newline at end of file
diff --git a/web/views/@default/clusters/grants/update.html b/web/views/@default/clusters/grants/update.html
index 152ac95d..81e02e17 100644
--- a/web/views/@default/clusters/grants/update.html
+++ b/web/views/@default/clusters/grants/update.html
@@ -34,7 +34,7 @@
 			<tr>
 				<td>SSH密码</td>
 				<td><input type="password" name="password" maxlength="100" v-model="grant.password"/>
-				<p class="comment">SSH登录用户密码。</p> </td>
+				<p class="comment">SSH登录用户密码。<mask-warning></mask-warning></p> </td>
 			</tr>
 		</tbody>
 
@@ -51,7 +51,7 @@
 				<td>RSA私钥 *</td>
 				<td>
 					<file-textarea name="privateKey" v-model="grant.privateKey" spellcheck="false" placeholder="填入RSA私钥内容或者拖动私钥文件到当前框中"></file-textarea>
-					<p class="comment">用来生成登录SSH公钥的私钥</p>
+					<p class="comment">用来生成登录SSH公钥的私钥。<mask-warning></mask-warning></p>
 				</td>
 			</tr>
             <tr>