diff --git a/internal/env/config.go b/internal/env/config.go
index cae2a7e..71f6392 100644
--- a/internal/env/config.go
+++ b/internal/env/config.go
@@ -108,13 +108,25 @@ func (cfg *Config) loadValuesSecrets() {
 		varName = sigils.ReplaceAllString(varName, "")
 
 		if value, ok := os.LookupEnv(varName); ok {
+			if cfg.Debug {
+				fmt.Fprintf(cfg.Stderr, "Replaced $%s with value in environment\n", varName)
+			}
 			return value
 		}
 
+		if cfg.Debug {
+			fmt.Fprintf(cfg.Stderr, "$%s not present in environment, replaced with \"\"\n", varName)
+		}
 		return ""
 	}
 
+	if cfg.Debug {
+		fmt.Fprintf(cfg.Stderr, "Replacing environment variable references in Values\n")
+	}
 	cfg.Values = findVar.ReplaceAllStringFunc(cfg.Values, replacer)
+	if cfg.Debug {
+		fmt.Fprintf(cfg.Stderr, "Replacing environment variable references in StringValues\n")
+	}
 	cfg.StringValues = findVar.ReplaceAllStringFunc(cfg.StringValues, replacer)
 }
 
diff --git a/internal/env/config_test.go b/internal/env/config_test.go
index cf1d7c6..a17fffa 100644
--- a/internal/env/config_test.go
+++ b/internal/env/config_test.go
@@ -198,6 +198,27 @@ func (suite *ConfigTestSuite) TestNewConfigWithValuesSecrets() {
 	suite.Equal("rings=1", cfg.StringValues)
 }
 
+func (suite *ConfigTestSuite) TestValuesSecretsWithDebugLogging() {
+	suite.unsetenv("VALUES")
+	suite.setenv("SECRET_FIRE", "Eru_Ilúvatar")
+	suite.setenv("PLUGIN_DEBUG", "true")
+	suite.setenv("PLUGIN_STRING_VALUES", "fire=$SECRET_FIRE")
+	suite.setenv("PLUGIN_VALUES", "fire=$SECRET_FIRE,water=$SECRET_WATER")
+	stderr := strings.Builder{}
+	_, err := NewConfig(&strings.Builder{}, &stderr)
+	suite.Require().NoError(err)
+
+	// Make a good-faith effort to avoid putting secrets in the log output, but still mention they were found
+	suite.Contains(stderr.String(), "Values:fire=$SECRET_FIRE,water=$SECRET_WATER")
+	suite.Contains(stderr.String(), `
+Replacing environment variable references in Values
+Replaced $SECRET_FIRE with value in environment
+$SECRET_WATER not present in environment, replaced with ""
+Replacing environment variable references in StringValues
+Replaced $SECRET_FIRE with value in environment
+`)
+}
+
 func (suite *ConfigTestSuite) setenv(key, val string) {
 	orig, ok := os.LookupEnv(key)
 	if ok {