Skip to content
Latchkey

What Is Base64 Encoding? Explained

Base64 is an encoding that represents arbitrary binary data using a 64-character set of plain ASCII text, so binary can travel through text-only channels.

Base64 solves a transport problem: a lot of systems only handle text safely, but you often need to move binary data - an image, a key file, a certificate - through them. Base64 rewrites binary bytes as plain ASCII so they survive text-only pipes. It is everywhere in CI, especially for getting binary secrets into and out of pipelines.

What base64 encoding is

Base64 takes binary data three bytes at a time and rewrites it as four characters drawn from a 64-symbol alphabet of letters, digits, plus, and slash, padded with equals signs. The result is roughly a third larger than the original but contains only safe, printable ASCII.

Encoding is not encryption

This is the single most important point: base64 is reversible by anyone with no key. It hides nothing. A base64 string is not a secret just because it looks scrambled - decoding it is trivial. Treat base64-encoded credentials as fully exposed if the string itself leaks.

Why text channels need it

Environment variables, JSON fields, YAML values, and email all expect text. Stuffing raw binary into them can corrupt the bytes or break the format. Base64 wraps the binary so it passes through unchanged, then the receiver decodes it back to the original bytes.

Base64 in CI secrets

CI secrets store text, so binary credentials - a service account JSON, a keystore, a PEM file - are commonly base64-encoded, stored as a secret, then decoded back to a file in the job. The secret stays masked in logs; base64 just makes the binary safe to store and transport.

Restoring a binary secret from base64
# Decode a base64 secret back to a file in CI
steps:
  - run: echo "${{ secrets.KEYSTORE_B64 }}" | base64 -d > release.keystore

Latchkey note

Secret masking applies on Latchkey runners exactly as on GitHub-hosted ones, so a base64-encoded secret stays redacted in logs - but remember the encoding itself adds no protection, only safe transport.

Key takeaways

  • Base64 rewrites binary as printable ASCII so it can pass through text-only channels.
  • It is encoding, not encryption - anyone can decode it, so it provides no secrecy.
  • CI commonly base64-encodes binary credentials to store them as text secrets, then decodes them to files in a job.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →