diff --git a/github/resource_github_actions_environment_secret.go b/github/resource_github_actions_environment_secret.go
index f30ab2291a..1defbe1932 100644
--- a/github/resource_github_actions_environment_secret.go
+++ b/github/resource_github_actions_environment_secret.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/google/go-github/v35/github"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 )
 
 func resourceGithubActionsEnvironmentSecret() *schema.Resource {
@@ -39,6 +40,7 @@ func resourceGithubActionsEnvironmentSecret() *schema.Resource {
 				ForceNew:      true,
 				Sensitive:     true,
 				ConflictsWith: []string{"plaintext_value"},
+				ValidateFunc:  validation.StringIsBase64,
 			},
 			"plaintext_value": {
 				Type:          schema.TypeString,
@@ -68,7 +70,7 @@ func resourceGithubActionsEnvironmentSecretCreateOrUpdate(d *schema.ResourceData
 	envName := d.Get("environment").(string)
 	secretName := d.Get("secret_name").(string)
 	plaintextValue := d.Get("plaintext_value").(string)
-	var encryptedValue []byte
+	var encryptedValue string
 
 	repo, _, err := client.Repositories.Get(ctx, owner, repoName)
 	if err != nil {
@@ -81,19 +83,20 @@ func resourceGithubActionsEnvironmentSecretCreateOrUpdate(d *schema.ResourceData
 	}
 
 	if encryptedText, ok := d.GetOk("encrypted_value"); ok {
-		encryptedValue = []byte(encryptedText.(string))
+		encryptedValue = encryptedText.(string)
 	} else {
-		encryptedValue, err = encryptPlaintext(plaintextValue, publicKey)
+		encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
 		if err != nil {
 			return err
 		}
+		encryptedValue = base64.StdEncoding.EncodeToString(encryptedBytes)
 	}
 
 	// Create an EncryptedSecret and encrypt the plaintext value into it
 	eSecret := &github.EncryptedSecret{
 		Name:           secretName,
 		KeyID:          keyId,
-		EncryptedValue: base64.StdEncoding.EncodeToString(encryptedValue),
+		EncryptedValue: encryptedValue,
 	}
 
 	_, err = client.Actions.CreateOrUpdateEnvSecret(ctx, repo.GetID(), envName, eSecret)
diff --git a/website/docs/r/actions_environment_secret.html.markdown b/website/docs/r/actions_environment_secret.html.markdown
index d98fcf4d68..527b38fed8 100644
--- a/website/docs/r/actions_environment_secret.html.markdown
+++ b/website/docs/r/actions_environment_secret.html.markdown
@@ -61,7 +61,7 @@ The following arguments are supported:
 * `repository`              - (Required) Name of the repository.
 * `environment`             - (Required) Name of the environment.
 * `secret_name`             - (Required) Name of the secret.
-* `encrypted_value`         - (Optional) Encrypted value of the secret.
+* `encrypted_value`         - (Optional) Encrypted value of the secret using the Github public key in Base64 format.
 * `plaintext_value`         - (Optional) Plaintext value of the secret to be encrypted.
 
 ## Attributes Reference