Hi All, I worked a bit with the encrypted keystore of OpenSearch (which is a fork of ElasticSearch - I think this encrypted keystore should be the same there). I had good experience with it.
You can check it here: - https://www.elastic.co/docs/deploy-manage/security/secure-settings - https://www.elastic.co/docs/reference/elasticsearch/command-line-tools/elasticsearch-keystore Best Regards, Dávid Andor Molnár <[email protected]> ezt írta (időpont: 2025. dec. 19., P, 16:22): > Hi Arjun > > I think that’s a very interesting idea and would be a great contribution > to enhance ZooKeeper security. Unfortunately the answer to both questions > are No: encrypted passwords are not supported currently in any way, I don’t > know of anybody who’s already working on and encrypted transaction log and > snapshots are not supported either. > > You’re very welcome to work on these features and I’m happy to review your > pull request. I suggest to share this conversation with the dev@ list > too. (cc’d) > > The idea of encrypted txn logs and snapshots are completely new to me, I > don’t have a strong opinion on how we should do it, I’m eager to hear your > thoughts on it. > > Encrypted passwords on disk: could you please elaborate on how exactly > it’s done in Elasticsearch? I don’t know the details unfortunately. I know > of Hadoop CredentialProvider API [1] which is actively used in other Apache > projects, but that also needs a super password to be known by the clients. > Potentially in another password file or environment variable. > > Andor > > > [1] > https://apache.github.io/hadoop/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html > > > > > > > On Dec 19, 2025, at 04:12, arjun s v <[email protected]> wrote: > > > > Also, are there any ways to encrypt transaction logs and snapshots? > > > > On Fri, Dec 19, 2025 at 12:27 PM arjun s v <[email protected]> > wrote: > > > >> Team, > >> I've been exploring ways to avoid keeping passwords in plaintext (for > both > >> SASL Digest and mTLS setups). > >> While the *.passwordPath feature (added in 3.8) is a nice improvement—it > >> keeps passwords out of configs and process listings—the passwords still > sit > >> in plaintext in those separate files. We shall secure them with strict > file > >> permissions, but if a host ever gets compromised at the root level, > those > >> passwords are exposed right away. > >> I saw that Elasticsearch handles this differently: they have a built-in > >> tool to store sensitive settings (like keystore passwords) in an > encrypted > >> file instead of plaintext. > >> Is this already available in ZooKeeper? If not, has this come up before? > >> If not, would the community be interested in something similar—maybe > just a > >> simple way to keep the keystore/truststore passwords (and perhaps SASL > >> Digest ones) encrypted on disk rather than plain text? > >> > >> Thanks in advance! > >> > >
