Kubernetes Secret Decoder
Kubernetes stores Secret values as Base64 — which is encoding, not encryption. Paste a Secret YAML (or a single value) below and every Base64 value under data: is decoded to plain text, instantly and locally. Nothing is uploaded.
How to decode a Kubernetes secret
Every value under a Secret's data: field is Base64-encoded. To read it, paste the Secret YAML into the tool above — it finds the data: block and decodes each value to plain text, all in your browser. To grab the YAML in the first place, run:
kubectl get secret my-secret -o yaml
To decode just one key straight from the command line, pull that field and pipe it through base64 --decode:
kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 --decode
For example, given this Secret:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: YWRtaW4=
password: c3VwZXJzZWNyZXQ=
the decoder returns username → admin and password → supersecret, because YWRtaW4= is base64("admin") and c3VwZXJzZWNyZXQ= is base64("supersecret").
Why are Kubernetes secrets Base64 encoded?
To carry arbitrary binary data safely as text. A Secret can hold TLS certificates, private keys, or raw bytes that are not valid UTF-8 and would corrupt a YAML document or the etcd store. Base64 maps any byte sequence onto a small set of printable ASCII characters, so it survives transport and storage intact. It is a binary-safe encoding, chosen for correctness — not for secrecy. The encoding is fully reversible with no key, which is exactly why the tool above can decode it in a line of JavaScript.
Are Kubernetes secrets encrypted?
No — not by default. A stock Secret is only Base64-encoded when it lands in etcd, so anyone with read access to etcd or to the Secret object can recover the plaintext. To actually protect it you have several options:
Encryption at rest — configure an EncryptionConfiguration on the API server, ideally backed by a KMS provider (AWS KMS, GCP KMS, Azure Key Vault), so Secrets are encrypted before being written to etcd. Sealed Secrets (Bitnami) — encrypt Secrets with a cluster controller's public key so the encrypted SealedSecret is safe to commit to Git. SOPS (with age or KMS) — encrypt Secret files in your GitOps repo and decrypt them at deploy time. External stores like HashiCorp Vault (often via the External Secrets Operator or CSI driver) — keep secrets out of the cluster entirely and inject them at runtime. Base64, by itself, provides none of this.
data vs stringData
A Secret can define values two ways. Under data: every value must already be Base64 — that is what the tool above decodes. Under stringData: you write the value as plain text and Kubernetes Base64-encodes it for you when the Secret is created, then merges it into data:. Use stringData: when authoring a Secret by hand so you do not have to encode anything yourself; use data: when you already have Base64 (for example, from another tool or from binary content). When both set the same key, stringData: wins.
Is this private?
Yes. Decoding runs entirely in your browser with JavaScript — the Secret YAML is parsed and decoded locally and nothing is uploaded to any server. This matters here because people paste real production secrets: you can confirm in DevTools → Network that decoding fires no request. Close the tab and the pasted data is gone.
Frequently asked questions
How do I decode a Kubernetes secret?
Paste the output of kubectl get secret NAME -o yaml into the decoder above and every Base64 value under data: is decoded to plain text, locally. From the command line, decode a single key with kubectl get secret NAME -o jsonpath='{.data.KEY}' | base64 --decode.
Why are Kubernetes secrets Base64 encoded?
So arbitrary binary data — certificates, keys, non-UTF-8 bytes — can be stored safely as text in YAML and in etcd. Base64 is a binary-safe transport encoding, not a security feature: anyone who can read the Secret can decode it.
Are Kubernetes secrets encrypted?
Not by default — a Secret is only Base64-encoded in etcd unless you enable encryption at rest (an EncryptionConfiguration, usually KMS-backed). For stronger protection use Sealed Secrets, SOPS, or Vault.
How do I create a Base64 value for a Secret?
Base64-encode the plain value and put the result under data: — for example printf 'admin' | base64 gives YWRtaW4=. Use the Encode value mode above to do it in the browser, or put the plain text under stringData: and let Kubernetes encode it for you.
Need plain Base64 encode/decode?
The main base64.dev tool handles text, files, and URL-safe mode with auto-detect.
Open base64.dev →