.env · transform

ENV to Base64

Encode .env values to base64 or decode base64 back to plaintext. Useful for Kubernetes secrets, Docker envs, and CI/CD pipelines. All in-browser.

Be the first to rate
Input (.env)
Output (base64 values)
Output will appear here…
CLI equivalents
Encode a value
echo -n "my-secret" | base64
Decode a value
echo "bXktc2VjcmV0" | base64 --decode

What it does

  • Encode .env KEY=VALUE pairs — values become base64, keys stay unchanged
  • Decode base64 strings back to plaintext
  • Handles Unicode values via encodeURIComponent
  • Kubernetes Secret YAML preview
  • Runs entirely in-browser — nothing is uploaded

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

Example

Kubernetes Secret manifest
DATABASE_URL=postgres://user:pass@host/db
API_KEY=sk-live-abc123
apiVersion: v1
kind: Secret
type: Opaque
data:
  DATABASE_URL: cG9zdGdyZXM6Ly91c2VyOnBhc3NAaG9zdC9kYg==
  API_KEY: c2stbGl2ZS1hYmMxMjM=

When to use this tool

  • Preparing values for a Kubernetes Secret manifest
  • Collapsing a multi-line PEM certificate into a single CI variable
  • Encoding a JSON service account key for GitHub Actions secrets
  • Fixing Docker Compose parse errors caused by special characters in values
  • Decoding a base64-encoded variable you received from an ops teammate

Common mistakes

  • Treating base64 as encryption — it is encoding only, not a security measure
  • Double-encoding values that are already base64 — the decode step will produce garbage
  • Forgetting to decode at runtime — your app will receive the base64 string, not the original value
  • Encoding the key name as well as the value — Kubernetes keys must be plain strings

Why base64-encode environment variables?

Several platforms require environment variable values to be base64-encoded:

  • Kubernetes Secrets — all values in a Secret manifest must be base64-encoded. kubectl decodes them on pod injection.
  • GitHub Actions secrets — when a secret contains newlines (e.g., a PEM certificate), base64 collapses it to a single line.
  • Docker / Docker Compose — values with $, #, or = can cause parsing issues. base64 eliminates all special characters.

Decoding at runtime

Node.js: Buffer.from(process.env.MY_VAR, 'base64').toString('utf8')

Python: import base64; base64.b64decode(os.environ['MY_VAR']).decode()

Shell: echo "$MY_VAR" | base64 --decode

Frequently asked questions

Why do Kubernetes Secrets require base64-encoded values?

Kubernetes stores all Secret values as base64 so they can safely contain arbitrary binary data, newlines, and special characters in a YAML field. kubectl decodes them transparently when injecting into pods — your app receives the original plaintext value.

Does base64 make my secrets more secure?

No. base64 is encoding, not encryption. Anyone who reads the encoded value can decode it instantly. For real secret protection, use Kubernetes RBAC to restrict Secret access, or store secrets in a dedicated vault (AWS Secrets Manager, HashiCorp Vault, Doppler).

How do I decode a base64 environment variable at runtime?

Node.js: Buffer.from(process.env.MY_VAR, 'base64').toString('utf8'). Python: import base64; base64.b64decode(os.environ['MY_VAR']).decode(). Shell: echo "$MY_VAR" | base64 --decode.

Does this tool support Unicode values?

Yes. Values are encoded via encodeURIComponent before base64 to handle multi-byte characters correctly, matching the behavior of most server-side base64 utilities.

Related tools

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.