Every time you embed an image in an HTML email, store a secret in a Kubernetes manifest, or pass a file through an API that only accepts text — Base64 is working in the background. It is one of those encoding schemes that system administrators encounter constantly but rarely stop to understand. This article explains what Base64 is, how the encoding algorithm works at the bit level, and when to use it.
Base64 is not encryption. It does not compress data. It is a reversible encoding that converts arbitrary binary data into a set of 64 printable ASCII characters, making binary content safe to transmit over systems that only handle text.
How Base64 works
Base64 encodes data in groups of 3 bytes at a time. Each group of 3 bytes (24 bits) is split into 4 chunks of 6 bits each. Each 6-bit chunk maps to one character from the Base64 alphabet — 64 possible values, hence the name.
Here is what that looks like for the string Man (ASCII bytes 77, 97, 110):
Input: Man — 3 bytes, 24 bits, 4 Base64 characters
Step 1 — 3 input bytes as binary
Step 2 — regroup 24 bits into 4 × 6-bit chunks
Result: Man encodes to TWFu
Each 6-bit value (0–63) maps to one character from the Base64 alphabet:
| Range | Characters | Count |
|---|---|---|
| 0–25 | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z | 26 |
| 26–51 | a b c d e f g h i j k l m n o p q r s t u v w x y z | 26 |
| 52–61 | 0 1 2 3 4 5 6 7 8 9 | 10 |
| 62 | + | 1 |
| 63 | / | 1 |
| padding | = | — |
Padding
Base64 processes input in 3-byte groups. If the input length is not a multiple of 3, the last group is padded with zeros and = characters are appended to the output to signal how many padding bytes were added.
| Input | Leftover bytes | Padding | Output |
|---|---|---|---|
Man | 0 | none | TWFu |
Ma | 2 | = | TWE= |
M | 1 | == | TQ== |
= padding characters carry no data — they keep the output length a multiple of 4 to simplify decoding. Some systems omit padding (JWT tokens, for example). If a strict decoder receives Base64 without expected padding, it will fail.
Why size increases by ~33%
Every 3 bytes of input become 4 characters of output — a 4/3 ratio, roughly 33% larger. A 1 MB file becomes approximately 1.37 MB when encoded. This is the unavoidable cost of representing 8-bit data using only 6 bits per character.
Common use cases
Data URI — embedding files in HTML and CSS
A Data URI embeds file content directly in HTML or CSS instead of referencing an external file, eliminating an HTTP request for small assets like icons.
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..." />The format is always data:<mime-type>;base64,<encoded-data>. The MIME type tells the browser how to interpret the content. Our Base64 Encoder produces Data URI output directly — enable the “Include Data URI prefix” checkbox on the File tab.
Kubernetes secrets and environment variables
Kubernetes stores secret values as Base64 in YAML manifests. The encoding exists because YAML is a text format and secret values often contain special characters that would break YAML parsing — not for security.
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
data:
password: cGFzc3dvcmQxMjM= # "password123" — encoded, NOT encryptedAPI payloads with binary content
REST APIs communicate in JSON or XML — text formats that cannot contain raw binary data. When an API needs to accept or return binary content (an image, a PDF, a certificate), the binary data is Base64-encoded and embedded as a string in the payload.
{
"filename": "report.pdf",
"content": "JVBERi0xLjQKJeLjz9MKMSAwIG9iago8PAovVHlwZSAvQ2F0YWxvZw..."
}Email attachments (MIME)
Email was designed for 7-bit ASCII text. MIME extended email to support attachments by encoding binary content as Base64. Every PDF or image you send as an email attachment is Base64-encoded by your mail client and decoded by the recipient’s — invisibly, on both ends.
PowerShell -EncodedCommand
PowerShell’s -EncodedCommand flag accepts a Base64-encoded script and executes it directly. This pattern is used in scheduled tasks and deployment scripts to avoid quote escaping issues. Note that -EncodedCommand requires UTF-16LE encoding specifically — not standard UTF-8 Base64.
Base64 is not encryption
Base64 is an encoding, not a cipher. Its purpose is format compatibility, not confidentiality. If you need to protect data, use actual encryption (AES, TLS, GPG). Base64 can be layered on top of encrypted data for transport, but the Base64 layer itself provides zero security.
URL-safe Base64
Standard Base64 uses + and / — both special characters in URLs. When Base64-encoded data needs to appear in a URL (JWT tokens, signed URLs, query parameters), a URL-safe variant replaces these characters:
| Standard Base64 | URL-safe Base64 | Reason |
|---|---|---|
+ | - | + is decoded as a space in query strings |
/ | _ | / is a URL path separator |
= padding | often omitted | = must be percent-encoded in URLs |
How to encode and decode
Browser — no installation required
The Advanced Base64 Encoder runs entirely in the browser. It supports text encoding, file encoding with drag and drop, Data URI output, and file download on decode. Nothing is sent to a server — all processing happens locally.
Linux / macOS
# Encode a string
echo -n 'hello world' | base64
# Decode a string
echo 'aGVsbG8gd29ybGQ=' | base64 -d
# Encode a file
base64 input.png > output.b64
# Decode a file back to binary
base64 -d output.b64 > restored.png-n flag suppresses the trailing newline on echo. Without it, the newline is included in the input and the encoded output will differ from what you expect.
Windows CMD — certutil
rem Encode a file to Base64
certutil -encode input.txt output_encoded.txt
rem Decode a Base64 file back to the original
certutil -decode output_encoded.txt restored.txt-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. These are required for certutil itself to decode the file, but they break compatibility with any other Base64 consumer. Strip them with findstr /v CERTIFICATE encoded.txt > clean.txt before passing the output to an API or another tool.
For the full certutil workflow including stripping headers, encoding strings, and round-trip integrity verification, see: certutil -encode and -decode: Base64 encoding files from the Windows command line.
PowerShell
# Encode a string
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes('hello world'))
# Decode a string
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aGVsbG8gd29ybGQ='))
# Encode a file
[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\input.png')) | Out-File -Encoding ascii output.b64
# Decode a file
$b = [Convert]::FromBase64String(([IO.File]::ReadAllText('output.b64')).Trim())
[IO.File]::WriteAllBytes('C:\restored.png', $b)PowerShell produces clean RFC 4648 Base64 without PEM headers, directly compatible with APIs and Linux tools. For the full workflow including binary file handling, BOM pitfalls, and -EncodedCommand encoding, see: Base64 encoding in PowerShell.
Tips and limitations
- Whitespace breaks decoding: Many encoders insert line breaks every 76 characters (MIME) or 64 characters (PEM). If a strict decoder receives Base64 with unexpected line breaks, it will fail. Strip all whitespace before decoding when the source is unknown.
- Not for large files: Base64 is not designed for multi-gigabyte data. Most implementations load the entire input into memory before encoding. For large file transfers, use binary-safe protocols (SFTP, SCP, rsync) instead.
- Standard vs URL-safe: Confirm which variant a system expects before encoding. Mixing standard and URL-safe Base64 causes silent failures that are hard to debug.
- Encoding does not validate content: A corrupted file encodes and decodes without errors — the corruption is preserved exactly. Base64 is not a data integrity mechanism. If integrity matters, verify with a hash (SHA256) separately.
Related tools
- Advanced Base64 Encoder / Decoder — encode and decode text and files in the browser, with Data URI support and file download on decode