Engineer for the future of Cloud
June 10-13, 2019
San Jose, CA

Base64 is not encryption: A better story for Kubernetes secrets

Seth Vargo (Google)
9:00am12:30pm Tuesday, June 11, 2019
Building Secure Systems
Location: LL21 E/F



Prerequisite knowledge

  • Knowledge of security, Kuberentes, and containers (useful but not required)

Materials or downloads needed in advance

  • A laptop with access to the internet and a modern version of the Chrome browser installed


Secrets are a key pillar of Kubernetes’ security model, used internally (e.g., service accounts) and by users (e.g., API keys), but did you know they’re stored in plaintext? That’s right, by default all Kubernetes secrets are base64 encoded and stored as plaintext in etcd. Anyone with access to the etcd cluster has access to all your Kubernetes secrets.

Thankfully, there are better ways. Seth Vargo provides an overview of different techniques for more securely managing secrets in Kubernetes, including secrets encryption, KMS plug-ins, and tools like HashiCorp Vault. You’ll learn the trade-offs of each approach to make better decisions on how to secure your Kubernetes clusters.

Photo of Seth Vargo

Seth Vargo


Seth Vargo is a developer advocate at Google. Previously, he worked at HashiCorp, Chef, Custom Ink, and a few Pittsburgh-based startups. He’s the author of Learning Chef. Seth is passionate about reducing inequality in technology. When he’s not writing, working on open source, teaching, or speaking at conferences, Seth enjoys spending time with his friends and advising nonprofits. He loves all things bacon.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)