You can spot base64 encoded JSON, certificates, and private keys
Last modified August 5, 2025
I was working on my homelab and examined a file that was supposed to contain encrypted content that I could safely commit on a Github repository. The file looked like this
Hm, key provider? Password key? In an encrypted file? That doesn’t sound right. The problem is that this file is generated by taking a password, deriving a key from it, and encrypting the content with that key. I don’t know what the derived key could look like, but it could be that long indecipherable string.
I asked a colleague to have a look and he said “Oh that? It looks like a base64 encoded JSON. Give it a go to see what’s inside.”
I was incredulous but gave it a go, and it worked!!
Terminal window
I couldn’t believe my colleague had decoded the base64 string on the fly, so I asked. “What gave it away? Was it the trailing equal signs at the end for padding? But how did you know it was base64 encoded JSON and not just a base64 string?”
He replied,
Whenever you see ey, that’s {" and then if it’s followed by a letter, you’ll get J followed by a letter.
I did a few tests in my terminal, and he was right! You can spot base64 json with your naked eye, and you don’t need to decode it on the fly!
Terminal window
But there’s even better! As tyzbit reported on the fediverse, you can even spot base64 encoded certificates and private keys! They all start with LS, which reminds of the LS in “TLS certificate.”
Terminal window
As pointed out by gnabgib and athorax on Hacker News, this actually detects the leading dashes of the PEM format, commonly used for certificates, and a YAML file that starts with --- will yield the same resultTerminal window
$ echo "---\n"|base64LS0tXG4K
This is not a silver bullet!
Thanks Davide and Denis for showing me this simple but pretty useful trick, and thanks tyzbit for completing it with certs and private keys!
Last modified August 5, 2025 
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
