Base64 in Config Files: Encoding Secrets for Environment Variables
Base64-encode secrets for env vars and config files. Learn the pattern, why it's not a security measure, and safer alternatives like secret managers.
Published:
Tags: encoding, devops, base64
Base64 in Config Files: Encoding Secrets for Environment Variables Environment variables are strings. A TLS certificate is not a string — it's a PEM-formatted multi-line block containing a Base64-encoded binary blob. A private key is the same. So are JSON service account credentials, SAML signing certificates, and SSH keys. When you need to store these in an environment variable (for Kubernetes secrets, Heroku config, GitHub Actions, or a file), Base64-encoding is the standard approach. It collapses a multi-line, special-character-containing value into a single portable string. The Problem with Multi-line Secrets in Env Vars A PEM certificate looks like this: Storing this directly in an environment variable requires shell escaping every newline. Different shells handle this differently.…
All articles · theproductguy.in