diff --git a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
index 88de484955..7599337f25 100644
--- a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
@@ -35,6 +35,7 @@ final class PassphraseCredentialRevealController
           ->appendChild(
             id(new AphrontFormTextAreaControl())
               ->setLabel(pht('Plaintext'))
+              ->setReadOnly(true)
               ->setValue($credential->getSecret()->openEnvelope()));
       } else {
         $body = pht('This credential has no associated secret.');
@@ -46,6 +47,17 @@ final class PassphraseCredentialRevealController
         ->appendChild($body)
         ->addCancelButton($view_uri, pht('Done'));
 
+      $type_secret = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET;
+      $xactions = array(id(new PassphraseCredentialTransaction())
+        ->setTransactionType($type_secret)
+        ->setNewValue(true));
+
+      $editor = id(new PassphraseCredentialTransactionEditor())
+        ->setActor($viewer)
+        ->setContinueOnNoEffect(true)
+        ->setContentSourceFromRequest($request)
+        ->applyTransactions($credential, $xactions);
+
       return id(new AphrontDialogResponse())->setDialog($dialog);
     }
 
diff --git a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
index 126833e0ee..77fae20c5e 100644
--- a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
+++ b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
@@ -14,6 +14,7 @@ final class PassphraseCredentialTransactionEditor
     $types[] = PassphraseCredentialTransaction::TYPE_USERNAME;
     $types[] = PassphraseCredentialTransaction::TYPE_SECRET_ID;
     $types[] = PassphraseCredentialTransaction::TYPE_DESTROY;
+    $types[] = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET;
 
     return $types;
   }
@@ -35,6 +36,8 @@ final class PassphraseCredentialTransactionEditor
         return $object->getSecretID();
       case PassphraseCredentialTransaction::TYPE_DESTROY:
         return $object->getIsDestroyed();
+      case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+        return null;
     }
 
     return parent::getCustomTransactionOldValue($object, $xaction);
@@ -49,6 +52,7 @@ final class PassphraseCredentialTransactionEditor
       case PassphraseCredentialTransaction::TYPE_USERNAME:
       case PassphraseCredentialTransaction::TYPE_SECRET_ID:
       case PassphraseCredentialTransaction::TYPE_DESTROY:
+      case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
         return $xaction->getNewValue();
     }
     return parent::getCustomTransactionNewValue($object, $xaction);
@@ -92,6 +96,8 @@ final class PassphraseCredentialTransactionEditor
       case PhabricatorTransactions::TYPE_EDIT_POLICY:
         $object->setEditPolicy($xaction->getNewValue());
         return;
+      case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+        return;
     }
 
     return parent::applyCustomInternalTransaction($object, $xaction);
@@ -107,6 +113,7 @@ final class PassphraseCredentialTransactionEditor
       case PassphraseCredentialTransaction::TYPE_USERNAME:
       case PassphraseCredentialTransaction::TYPE_SECRET_ID:
       case PassphraseCredentialTransaction::TYPE_DESTROY:
+      case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
       case PhabricatorTransactions::TYPE_VIEW_POLICY:
       case PhabricatorTransactions::TYPE_EDIT_POLICY:
         return;
diff --git a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
index 2303ea39ac..6caed5af3c 100644
--- a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
+++ b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
@@ -8,6 +8,7 @@ final class PassphraseCredentialTransaction
   const TYPE_USERNAME = 'passphrase:username';
   const TYPE_SECRET_ID = 'passphrase:secretID';
   const TYPE_DESTROY = 'passphrase:destroy';
+  const TYPE_LOOKEDATSECRET = 'passphrase:lookedAtSecret';
 
   public function getApplicationName() {
     return 'passphrase';
@@ -28,6 +29,8 @@ final class PassphraseCredentialTransaction
         return ($old === null);
       case self::TYPE_USERNAME:
         return !strlen($old);
+      case self::TYPE_LOOKEDATSECRET:
+        return false;
     }
     return parent::shouldHide();
   }
@@ -77,6 +80,10 @@ final class PassphraseCredentialTransaction
         return pht(
           '%s destroyed this credential.',
           $this->renderHandleLink($author_phid));
+      case self::TYPE_LOOKEDATSECRET:
+        return pht(
+          '%s examined the secret plaintext for this credential.',
+          $this->renderHandleLink($author_phid));
     }
 
     return parent::getTitle();
@@ -97,5 +104,4 @@ final class PassphraseCredentialTransaction
       json_encode($this->getNewValue()));
   }
 
-
 }