Engineer for the future of Cloud
June 10-13, 2019
San Jose, CA

Base64 is not encryption: A better story for Kubernetes secrets

Seth Vargo (Google)
9:00am12:30pm Tuesday, June 11, 2019
Building Secure Systems
Location: LL21 A/B
Average rating: ****.
(4.78, 9 ratings)



Prerequisite knowledge

  • Knowledge of security, Kuberentes, and containers (useful but not required)

Materials or downloads needed in advance

  • A laptop with access to the internet and a modern version of the Chrome browser installed

What you'll learn

  • Discover techniques for securely managing secrets in Kubernetes


Secrets are a key pillar of Kubernetes’ security model, used internally (e.g., service accounts) and by users (e.g., API keys), but did you know they’re stored in plaintext? That’s right, by default all Kubernetes secrets are base64 encoded and stored as plaintext in etcd. Anyone with access to the etcd cluster has access to all your Kubernetes secrets.

Thankfully, there are better ways. Seth Vargo provides an overview of different techniques for more securely managing secrets in Kubernetes, including secrets encryption, KMS plug-ins, and tools like HashiCorp Vault. You’ll learn the trade-offs of each approach to make better decisions on how to secure your Kubernetes clusters.

Photo of Seth Vargo

Seth Vargo


Seth Vargo is an engineer at Google Cloud. Previously he worked at HashiCorp, Chef Software, CustomInk, and some Pittsburgh-based startups. He is the author of Learning Chef and is passionate about reducing inequality in technology. When he is not writing, working on open source, teaching, or speaking at conferences, Seth advises non-profits.