Team, I've been exploring ways to avoid keeping passwords in plaintext (for both SASL Digest and mTLS setups). While the *.passwordPath feature (added in 3.8) is a nice improvement—it keeps passwords out of configs and process listings—the passwords still sit in plaintext in those separate files. We shall secure them with strict file permissions, but if a host ever gets compromised at the root level, those passwords are exposed right away. I saw that Elasticsearch handles this differently: they have a built-in tool to store sensitive settings (like keystore passwords) in an encrypted file instead of plaintext. Is this already available in ZooKeeper? If not, has this come up before? If not, would the community be interested in something similar—maybe just a simple way to keep the keystore/truststore passwords (and perhaps SASL Digest ones) encrypted on disk rather than plain text?
Thanks in advance!
