Also, are there any ways to encrypt transaction logs and snapshots? On Fri, Dec 19, 2025 at 12:27 PM arjun s v <[email protected]> wrote:
> Team, > I've been exploring ways to avoid keeping passwords in plaintext (for both > SASL Digest and mTLS setups). > While the *.passwordPath feature (added in 3.8) is a nice improvement—it > keeps passwords out of configs and process listings—the passwords still sit > in plaintext in those separate files. We shall secure them with strict file > permissions, but if a host ever gets compromised at the root level, those > passwords are exposed right away. > I saw that Elasticsearch handles this differently: they have a built-in > tool to store sensitive settings (like keystore passwords) in an encrypted > file instead of plaintext. > Is this already available in ZooKeeper? If not, has this come up before? > If not, would the community be interested in something similar—maybe just a > simple way to keep the keystore/truststore passwords (and perhaps SASL > Digest ones) encrypted on disk rather than plain text? > > Thanks in advance! >
