Are Kubernetes Secrets encrypted?

By default, no. Secret data is base64-encoded — which is encoding, not encryption — and stored in etcd in plaintext unless you enable encryption at rest. Anyone with API or etcd access can read the values, so treat Secrets as merely obfuscated, not secure.

What is the difference between data and stringData?

The data field requires base64-encoded values, while stringData accepts plaintext and the API server base64-encodes it for you on apply. stringData is more convenient to author; values appear in data after creation.

Should I commit Secret YAML to git?

Never commit plaintext or base64 Secrets to a repository — base64 is trivially reversible. Use Sealed Secrets, SOPS-encrypted files, or the External Secrets Operator pulling from Vault or a cloud secret manager.

What Secret types exist?

Common types include Opaque (arbitrary data), kubernetes.io/tls (cert and key), kubernetes.io/dockerconfigjson (registry pull credentials), kubernetes.io/basic-auth, and kubernetes.io/ssh-auth. Typed Secrets enforce expected keys.

How do pods consume a Secret?

Mount it as a volume so each key becomes a file, or expose keys as environment variables via env valueFrom secretKeyRef or envFrom secretRef. Image pull secrets are referenced under imagePullSecrets.

Kubernetes Secret YAML Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Generate Kubernetes Secret manifests safely

A Secret holds small amounts of sensitive data — passwords, tokens, TLS certificates, registry credentials — and makes it available to pods without baking it into images. This builder assembles a valid v1 Secret manifest, base64-encoding your values for the data field or leaving them plaintext under stringData.

How it works

The Kubernetes data field stores every value base64-encoded. The builder encodes your input using a UTF-8-safe routine so multi-byte characters survive correctly, which a naive btoa call would corrupt. If you prefer to author in plaintext, switch to stringData and the API server performs the base64 encoding when you kubectl apply.

The Secret type field tells Kubernetes what shape to expect. Opaque is the generic catch-all; typed Secrets such as kubernetes.io/tls validate that the required keys (tls.crt, tls.key) are present.

Tips and notes

base64 is encoding, not encryption — anyone who can read the Secret can decode it instantly. Enable encryption at rest on etcd for real protection.
For GitOps workflows, use Sealed Secrets (encrypts the whole Secret so it is safe to commit) or the External Secrets Operator (syncs from Vault, AWS Secrets Manager, or GCP Secret Manager).
Restrict access with RBAC — grant get/list on Secrets only to the workloads that need them.
Rotate credentials regularly; updating a Secret does not automatically restart pods consuming it.