DEV Community

Cover image for Easily Encode/Decode Kubernetes Secrets in Base64
Umair-khurshid
Umair-khurshid

Posted on • Edited on

Easily Encode/Decode Kubernetes Secrets in Base64

Something we have to do aLL the time when manipulating Secrets objects in Kubernetes is to display in plain text the “secrets” contained in our Secret (or to encode them).

For those who don't know, Secrets in Kubernetes are unfortunately not very secret, since they are nothing more or less than base64 encoded strings (which is therefore anthing but secure). To tell the truth, I even wonder why bother encoding them at all. The only security we add compared to ConfigMaps is simply that the string is not readable by a human who would stick his head over your shoulder.

Anyways, you are probably going to have to encode or decode strings in base64 and it's sometimes a bit of a pain. The commonly accepted method is to simply use the linux echo and base64 binaries.

echo "ma string" | base64
bWEgc3RyaW5nCg==

echo bWEgc3RyaW5nCg== | base64 -d
my string
Enter fullscreen mode Exit fullscreen mode

It's a pain to type, but it's relatively trivial.

It's a trap!

Except there are traps!

The first one you will get when encoding. In my first example, the string is very short. And sometimes, size matters.

echo "my long string" | base64
bWEgc3RyaW5nIHRyw6hzIGxvbmd1ZSBzdHJpbmcgcG91ciBtb250cmVyIHF1ZSDDp2EgdmEgcGFz
IGxlIGZhaXJlCg==
Enter fullscreen mode Exit fullscreen mode

Here we end up with a line break in our output string. But, if you copy and paste this into your Kubernetes YAML, you're going to get a big syntax error.

The YAML will only be valid if you put the entire string, on a single line.

echo "my long string" | base64 -w0
bWEgc3RyaW5nIHRyw6hzIGxvbmd1ZSBzdHJpbmcgcG91ciBtb250cmVyIHF1ZSDDp2EgdmEgcGFzIGxlIGZhaXJlCg==
Enter fullscreen mode Exit fullscreen mode

And it's not over!

The 2nd trap is again a line break issue, but in the base64 string this time.

In fact, it's super treacherous because you won't see it on the screen at first, but you should know that echo adds a line break at the end of your string. The return you got in base64 therefore contains a line break, which will almost systematically be unwanted when managing Secrets.

So the correct command is not echo but echo -n !

echo "my string" | base64
bWEgc3RyaW5nCg==

echo -n "my string" | base64 -w0
bWEgc3RyaW5n
Enter fullscreen mode Exit fullscreen mode

Okay this is starting to get really annoying...

To decode fortunately, it is simpler. The command given at the beginning is enough, even if it will be safer to add the “-n” to the echo:

echo -n bWEgc3RyaW5n | base64 -d
my string
Enter fullscreen mode Exit fullscreen mode

Gain some characters

Since I'm lazy, I looked for a trick to save a few characters to type. There is a solution, but unfortunately it only works for decode, since in the case of encoding we risk adding an unwanted line break:

echo bWEgc3RyaW5n | base64 -d
base64 -d <<< bWEgc3RyaW5n
my string
Enter fullscreen mode Exit fullscreen mode

We just saved 3 characters but especially a “|”, much more difficult to do on a standard qwerty keyboard than 3 “<”.

A little simpler

Here's a ittle script to make our lives easier:

~$ cat > b64 <<EOF 
> #!/bin/bash
> echo -e "Base64 encoding.. \n"
> for arg in "\$@"; do
>   echo "\$arg :"
>   echo -n "\$arg" | base64
>   echo
> done
> EOF
~$ cat > b64d <<EOF 
> #!/bin/bash
> echo -e "Base64 decoding.. \n"
> for arg in "\$@"; do
>   echo "\$arg :"
>   echo -n "\$arg" | base64 -d
>   echo
> done
> EOF
~$ sudo cp b64* /usr/local/bin/
Enter fullscreen mode Exit fullscreen mode

You can now directly invoke b64 followed by any number of strings to have their value encoded, or b64d followed by any number of strings to decode them.

Top comments (0)