diff --git a/Taskfile.yaml b/Taskfile.yaml
index d93d2a5d..f43def9b 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -155,10 +155,11 @@ tasks:
     - for: sources
       cmd: |
         echo "Sealing - {{ .ITEM }} with {{ .KUBESEAL_PUBLIC_CERT }}"
-        outfile=$(sed -e 's/.unsealed.yaml/.sealed.yaml/' <<< "{{ .ITEM }}")
+        OUTFILE=$(sed -e 's/.unsealed.yaml/.sealed.yaml/' <<< "{{ .ITEM }}")
+        CONTENT=$(cat {{ .ITEM }} | sed '{{ "s/.*{{.*//" }}' | sed '{{ "s/---//" }}' )
         if [ -s "{{ .ITEM }}" ]; then
-          cat {{ .ITEM }} | kubeseal --cert {{ .KUBESEAL_PUBLIC_CERT }} -o yaml > $outfile
-          echo "Sealed  - $outfile"
+          cat {{ .ITEM }} | kubeseal --cert {{ .KUBESEAL_PUBLIC_CERT }} -o yaml > $OUTFILE
+          echo "Sealed  - $OUTFILE"
         else
           echo "WARNING: no content in {{ .ITEM }}. Skipping."
         fi
@@ -168,21 +169,24 @@ tasks:
     desc: "Un-Kubeseal all *.sealed.yaml secrets into and over adjacent *.unsealed.yaml files."
     silent: true
     sources:
-    - "{{ .CHARTS_DIR }}/**/*.sealed.yaml"
+      - "{{ .CHARTS_DIR }}/**/*.sealed.yaml"
     generates:
-    - "{{ .CHARTS_DIR }}/**/*.unsealed.yaml"
+      - "{{ .CHARTS_DIR }}/**/*.unsealed.yaml"
     cmds:
-    - for: sources
-      cmd: |
-        echo "Unsealing - {{ .ITEM }} with {{ .KUBESEAL_PRIVATE_KEY }}"
-        outfile=$(sed -e 's/.sealed.yaml/.unsealed.yaml/' <<< "{{ .ITEM }}")
-        if [[ ! $(cat {{ .ITEM }} | yq ' .spec.template.metadata.labels."cromwell-tools.co.uk/binarysecret"') = 'true' ]]; then
-          cat {{ .ITEM }} | sed 's/.*{-.*//' | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml | yq '.data |= map_values(@base64d) | .stringData = .data | del(.data) | del(.metadata.ownerReferences)' > $outfile
-        else
-          cat {{ .ITEM }} | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml > $outfile
-          echo "WARNING: secret is binary. Skipping base64 decode."
-        fi
-        echo "Unsealed - $outfile"
+      - for: sources
+        cmd: |
+          echo "Unsealing - {{ .ITEM }} with {{ .KUBESEAL_PRIVATE_KEY }}"
+          OUTFILE=$(sed -e 's/.sealed.yaml/.unsealed.yaml/' <<< "{{ .ITEM }}")
+          CONTENT=$(cat {{ .ITEM }} | sed '{{ "s/.*{{.*//" }}' | sed '{{ "s/---//" }}' )
+          if [[ ! $( echo "${CONTENT}" | yq ' .spec.template.metadata.labels."secret.deepcypher.me/bas64only"') = 'true' ]]; then
+            echo "Unsealing and base64 decoding - ${{ .ITEM }}"
+            echo "${CONTENT}" | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml | yq '.data |= map_values(@base64d) | .stringData = .data | del(.data) | del(.metadata.ownerReferences)' > $OUTFILE
+          else
+            echo "Unsealing - ${{ .ITEM }}"
+            echo "${CONTENT}" | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml > $OUTFILE
+            echo "WARNING: secret is binary. Skipping base64 decode."
+          fi
+          echo "Unsealed - $OUTFILE"
     method: none
 
   crossplane-keycloak-reset: