Hi Arjun I think that’s a very interesting idea and would be a great contribution to enhance ZooKeeper security. Unfortunately the answer to both questions are No: encrypted passwords are not supported currently in any way, I don’t know of anybody who’s already working on and encrypted transaction log and snapshots are not supported either.
You’re very welcome to work on these features and I’m happy to review your pull request. I suggest to share this conversation with the dev@ list too. (cc’d) The idea of encrypted txn logs and snapshots are completely new to me, I don’t have a strong opinion on how we should do it, I’m eager to hear your thoughts on it. Encrypted passwords on disk: could you please elaborate on how exactly it’s done in Elasticsearch? I don’t know the details unfortunately. I know of Hadoop CredentialProvider API [1] which is actively used in other Apache projects, but that also needs a super password to be known by the clients. Potentially in another password file or environment variable. Andor [1] https://apache.github.io/hadoop/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html > On Dec 19, 2025, at 04:12, arjun s v <[email protected]> wrote: > > Also, are there any ways to encrypt transaction logs and snapshots? > > On Fri, Dec 19, 2025 at 12:27 PM arjun s v <[email protected]> wrote: > >> Team, >> I've been exploring ways to avoid keeping passwords in plaintext (for both >> SASL Digest and mTLS setups). >> While the *.passwordPath feature (added in 3.8) is a nice improvement—it >> keeps passwords out of configs and process listings—the passwords still sit >> in plaintext in those separate files. We shall secure them with strict file >> permissions, but if a host ever gets compromised at the root level, those >> passwords are exposed right away. >> I saw that Elasticsearch handles this differently: they have a built-in >> tool to store sensitive settings (like keystore passwords) in an encrypted >> file instead of plaintext. >> Is this already available in ZooKeeper? If not, has this come up before? >> If not, would the community be interested in something similar—maybe just a >> simple way to keep the keystore/truststore passwords (and perhaps SASL >> Digest ones) encrypted on disk rather than plain text? >> >> Thanks in advance! >>
