64 Base64Toolkit
Language:

Kubernetes Secret Decoder

Paste the output of kubectl get secret <name> -o yaml and decode every key at once — entirely in your browser.

Decoding Kubernetes secrets, without the kubectl gymnastics

Kubernetes stores every Secret value Base64-encoded under the data: key. Reading one value from the CLI means remembering jsonpath syntax and piping through base64 -d; reading five values means doing it five times. This tool takes the whole kubectl get secret -o yaml output (or JSON) and decodes every key in one paste — stringData entries are shown as-is, and non-text binary values are flagged instead of shown as garbage.

The Create secret tab works in reverse: enter plain KEY=value pairs and get a ready-to-apply manifest with correctly encoded values (no trailing-newline bugs), plus the equivalent kubectl create secret generic one-liner.

Remember: Base64 is not security

Anyone with get secret RBAC permission can decode these values — as this page demonstrates. Protect real credentials with etcd encryption at rest, least-privilege RBAC, and tools like Sealed Secrets, SOPS, or External Secrets Operator.

Frequently Asked Questions

How do I decode a Kubernetes secret?

Run kubectl get secret <name> -o yaml, paste the whole output above, and every key under data: is decoded instantly. On the command line, the equivalent for one key is kubectl get secret <name> -o jsonpath="{.data.password}" | base64 -d.

Are Kubernetes secrets encrypted?

Not by default — they are only Base64-encoded, which anyone can reverse (as this page proves). Real protection requires encryption at rest on etcd, RBAC restrictions, and ideally an external secret manager (Vault, Sealed Secrets, External Secrets Operator).

Why is my decoded secret value wrong or rejected?

The classic cause is a trailing newline: echo "value" | base64 encodes value\n. Use echo -n, or create values with this page — the generator never adds trailing newlines.

What is the difference between data and stringData?

data: holds Base64-encoded values; stringData: accepts plain text that Kubernetes encodes for you at apply time. stringData is write-only convenience — when you read a secret back, everything appears Base64-encoded under data:.

Is it safe to paste production secrets here?

Yes — this page is static and has no backend. Parsing and decoding run entirely in your browser; nothing is transmitted, logged, or stored (the page even works offline). Still, treat any decoded secret with the same care as the original.

Related Tools