Spotting base64 encoded JSON, certificates, and private keys

You can spot base64 encoded JSON, certificates, and private keys Last modified August 5, 2025 Last modified August 5, 2025 I was working on my homelab and examined a file that was supposed to contain encrypted content that I could safely commit on a Github repository. The file looked like this { "serial" : 13 , "lineage" : "24d431ee-3da9-4407-b649-b0d2c0ca2d67" , "meta" : { "key_provider.pbkdf2.password_key" : "eyJzYWx0IjoianpHUlpMVkFOZUZKcEpSeGo4UlhnNDhGZk9vQisrR0YvSG9ubTZzSUY5WT0iLCJpdGVyYXRpb25zIjo2MDAwMDAsImhhc2hfZnVuY3Rpb24iOiJzaGE1MTIiLCJrZXlfbGVuZ3RoIjozMn0=" }, "encrypted_data" : "ONXZsJhz37eJA[...]" , "encryption_version" : "v0" } Hm, key provider? Password key? In an encrypted file? That doesn’t sound right. The problem is that this file is generated by taking a password, deriving a key from it, and encrypting the content with that key. I don’t know what the derived key could look like, but it could be that long indecipherable string. I asked a colleague to have a look and he said “Oh that? It looks like a base64 encoded JSON. Give it a go to see what’s inside.” I was incredulous but gave it a go, and it worked!! Terminal window $ echo "eyJzYW[...]" | base64 -d {"salt":"jzGRZLVANeFJpJRxj8RXg48FfOoB++GF/Honm6sIF9Y=","iterations":600000,"hash_function":"sha512","key_length":32} I couldn’t believe my colleague had decoded the base64 string on the fly, so I asked. “What gave it away? Was it the trailing equal signs at the end for padding? But how did you know it was base64 encoded JSON and not just a base64 string?” He replied, Whenever you see ey , that’s {" and then if it’s followed by a letter, you’ll get J followed by a letter. I did a few tests in my terminal, and he was right! You can spot base64 json with your naked eye, and you don’t need to decode it on the fly! Terminal window $ echo "{" | base64 ewo= $ echo "{ \" " | base64 eyIK $ echo "{ \" s" | base64 eyJzCg== $ echo "{ \" a" | base64 eyJhCg== $ echo "{ \" word \" " | base64 eyJ3b3JkIgo= But there’s even better! As tyzbit reported on the fediverse, you can even spot base64 encoded certificates and private keys! They all start with LS , which reminds of the LS in “TLS certificate.” Terminal window $ echo -en "-----BEGIN CERTIFICATE-----" | base64 LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t Errata As pointed out by gnabgib and athorax on Hacker News, this actually detects the leading dashes of the PEM format, commonly used for certificates, and a YAML file that starts with --- will yield the same result Terminal window $ echo "--- " | base64 LS0tXG4K This is not a silver bullet! Thanks Davide and Denis for showing me this simple but pretty useful trick, and thanks tyzbit for completing it with certs and private keys!