Kubernetes Secret Decoder

Kubernetes stores Secret values as Base64 — which is encoding, not encryption. Paste a Secret YAML (or a single value) below and every Base64 value under data: is decoded to plain text, instantly and locally. Nothing is uploaded.

Security note: Base64 in a Kubernetes Secret is NOT encryption. Anyone who can read the Secret YAML can decode it. For real protection use encryption at rest (KMS), Sealed Secrets, SOPS, or Vault.
Mode
SECRET YAML
DECODED VALUES
Paste a Secret YAML or a single value

How to decode a Kubernetes secret

Every value under a Secret's data: field is Base64-encoded. To read it, paste the Secret YAML into the tool above — it finds the data: block and decodes each value to plain text, all in your browser. To grab the YAML in the first place, run:

kubectl get secret my-secret -o yaml

To decode just one key straight from the command line, pull that field and pipe it through base64 --decode:

kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 --decode

For example, given this Secret:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: YWRtaW4=
  password: c3VwZXJzZWNyZXQ=

the decoder returns usernameadmin and passwordsupersecret, because YWRtaW4= is base64("admin") and c3VwZXJzZWNyZXQ= is base64("supersecret").

Why are Kubernetes secrets Base64 encoded?

To carry arbitrary binary data safely as text. A Secret can hold TLS certificates, private keys, or raw bytes that are not valid UTF-8 and would corrupt a YAML document or the etcd store. Base64 maps any byte sequence onto a small set of printable ASCII characters, so it survives transport and storage intact. It is a binary-safe encoding, chosen for correctness — not for secrecy. The encoding is fully reversible with no key, which is exactly why the tool above can decode it in a line of JavaScript.

Are Kubernetes secrets encrypted?

No — not by default. A stock Secret is only Base64-encoded when it lands in etcd, so anyone with read access to etcd or to the Secret object can recover the plaintext. To actually protect it you have several options:

Encryption at rest — configure an EncryptionConfiguration on the API server, ideally backed by a KMS provider (AWS KMS, GCP KMS, Azure Key Vault), so Secrets are encrypted before being written to etcd. Sealed Secrets (Bitnami) — encrypt Secrets with a cluster controller's public key so the encrypted SealedSecret is safe to commit to Git. SOPS (with age or KMS) — encrypt Secret files in your GitOps repo and decrypt them at deploy time. External stores like HashiCorp Vault (often via the External Secrets Operator or CSI driver) — keep secrets out of the cluster entirely and inject them at runtime. Base64, by itself, provides none of this.

data vs stringData

A Secret can define values two ways. Under data: every value must already be Base64 — that is what the tool above decodes. Under stringData: you write the value as plain text and Kubernetes Base64-encodes it for you when the Secret is created, then merges it into data:. Use stringData: when authoring a Secret by hand so you do not have to encode anything yourself; use data: when you already have Base64 (for example, from another tool or from binary content). When both set the same key, stringData: wins.

Is this private?

Yes. Decoding runs entirely in your browser with JavaScript — the Secret YAML is parsed and decoded locally and nothing is uploaded to any server. This matters here because people paste real production secrets: you can confirm in DevTools → Network that decoding fires no request. Close the tab and the pasted data is gone.

Frequently asked questions

How do I decode a Kubernetes secret?

Paste the output of kubectl get secret NAME -o yaml into the decoder above and every Base64 value under data: is decoded to plain text, locally. From the command line, decode a single key with kubectl get secret NAME -o jsonpath='{.data.KEY}' | base64 --decode.

Why are Kubernetes secrets Base64 encoded?

So arbitrary binary data — certificates, keys, non-UTF-8 bytes — can be stored safely as text in YAML and in etcd. Base64 is a binary-safe transport encoding, not a security feature: anyone who can read the Secret can decode it.

Are Kubernetes secrets encrypted?

Not by default — a Secret is only Base64-encoded in etcd unless you enable encryption at rest (an EncryptionConfiguration, usually KMS-backed). For stronger protection use Sealed Secrets, SOPS, or Vault.

How do I create a Base64 value for a Secret?

Base64-encode the plain value and put the result under data: — for example printf 'admin' | base64 gives YWRtaW4=. Use the Encode value mode above to do it in the browser, or put the plain text under stringData: and let Kubernetes encode it for you.

Need plain Base64 encode/decode?

The main base64.dev tool handles text, files, and URL-safe mode with auto-detect.

Open base64.dev →