diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env
index 3fa6d63290..2c2672758f 100644
--- a/ci-automation/ci-config.env
+++ b/ci-automation/ci-config.env
@@ -94,4 +94,4 @@ GCE_PARALLEL="${PARALLEL_TESTS:-4}"
 : ${DIGITALOCEAN_MACHINE_SIZE:='s-2vcpu-2gb'}
 DIGITALOCEAN_PARALLEL="${PARALLEL_TESTS:-8}"
 # DIGITALOCEAN_TOKEN_JSON env var is used for credentials, and should
-# come from sdk_container/.env
+# come from sdk_container/.env. It must be base64-encoded.
diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh
index 3a21f177da..ce01d55765 100644
--- a/ci-automation/ci_automation_common.sh
+++ b/ci-automation/ci_automation_common.sh
@@ -275,8 +275,9 @@ function url_from_template() {
 # --
 
 # Puts a secret into a file, while trying for the secret to not end up
-# on a filesystem at all. A path to the file with the secret in
-# /proc in put into the chosen variable.
+# on a filesystem at all. A path to the file with the secret in /proc
+# in put into the chosen variable. The secret is assumed to be
+# base64-encoded.
 #
 # Typical use:
 #   secret_file=''
@@ -294,7 +295,7 @@ function secret_to_file() {
 
     exec {fd}<>"${tmpfile}"
     rm -f "${tmpfile}"
-    echo "${secret}" >&${fd}
+    echo "${secret}" | base64 --decode >&${fd}
     config_ref="/proc/${$}/fd/${fd}"
 }
 # --