When you're building a Kubernetes Secret manifest, the data: block requires Base64-encoded values. Many developers handle this by pasting raw passwords and API keys into an online Base64 encoder — which sends those credentials to a third-party server. There's a safer way.

Why Kubernetes Uses Base64

A Kubernetes Secret manifest looks like this:

apiVersion: v1 kind: Secret metadata: name: db-credentials type: Opaque data: password: c3VwZXJzZWNyZXQ= api-key: c2tfdGVzdF84YzhiNDU2MA==

The values under data: are Base64-encoded strings. The raw values — supersecret, sk_test_8c8b4560 — are not stored in the manifest directly.

Important: Base64 is not encryption. Anyone with access to the manifest can decode the values instantly. Kubernetes secrets provide cluster-level access control — the encoding is a format requirement of the Kubernetes API, not a security layer.

Encoding Secret Values with TextForge

TextForge is a Chrome extension with 50+ text utilities. Base64 encode runs entirely locally in the free version — no data leaves your browser.

  1. 1
    Open TextForge
    Click the TextForge icon in your browser toolbar to open the extension panel.
  2. 2
    Paste the raw secret value
    Paste your password, API key, connection string, or any value you need in encoded form. Encode one value at a time.
  3. 3
    Apply Base64 Encode
    Select Base64 Encode from the tools menu. The encoded string appears immediately.
  4. 4
    Paste into your YAML manifest
    Copy the encoded output and paste it as the value under the appropriate key in the data: block.

Using stringData Instead

Kubernetes also supports a stringData: field that accepts plain text — the API handles Base64 encoding automatically:

stringData: password: supersecret

stringData is fine for secrets you're creating from scratch. But when you're reading an existing manifest or one generated by a tool, the values will be in data: in Base64 form — which is when you need to decode them for inspection. For that, paste the encoded value into TextForge and apply Base64 Decode.

Frequently Asked Questions

Is Base64 encoding required for all Kubernetes secrets?

Only for the data: field. If you use stringData:, Kubernetes handles the encoding automatically. The data: field is what you see in most examples and in secrets exported with kubectl get secret -o yaml.

Can I encode multi-line values like TLS certificates?

Yes. Paste the full certificate — including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines — into TextForge and apply Base64 Encode. The resulting string goes into the data: field of a TLS Secret.

Is Base64 encryption for Kubernetes secrets?

No. Base64 is not encryption — anyone with the manifest can decode the values instantly with any Base64 decoder. Kubernetes secrets provide access control. For encryption at rest, you need to configure etcd encryption separately at the cluster level.

Related guides
Base64 Encode and Decode Online — No Upload, No Command Line Full guide covering all Base64 use cases in the browser How to Decode a JWT Token Payload in Your Browser Inspect JWT claims locally without pasting tokens into jwt.io

TextForge is free. Base64 encode — and 50+ other text utilities — are available without an account or subscription.

Install TextForge — free