For SASL/PLAIN, an option for client code is to use the sasl.jaas.config property instead of a jaas property file. You can store the password encrypted, decrypt it at runtime, and set the "sasl.jaas.config" property in the client configuration properties. I have used this method.
For the broker jaas configuration, you might be able to keep plaintext password out of a file by setting the broker sasl.jaas.config property at runtime with kafka-configs.sh. The Kafka docs say this property can be dynamically updated per-broker. https://kafka.apache.org/documentation/#brokerconfigs_sasl.jaas.config I have not tried setting the broker property dynamically. The docs say you can avoid plaintext stored passwords by using a SASL callback handler to decrypt credentials. https://kafka.apache.org/documentation/#security_sasl_plain_production Bill -----Original Message----- From: Luke Chen <show...@gmail.com> Sent: Monday, February 7, 2022 10:47 PM To: Kafka Users <users@kafka.apache.org> Subject: Re: encrypt the password in jaas conf Hi KSunil, Sorry, there's no encryption support for kafka jaas configuration. You could consider to configure SCRAM for stronger security. ref: https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_scram.html Thank you. Luke On Tue, Feb 8, 2022 at 1:06 PM Sunil Kumar <ksk...@gmail.com> wrote: > Hi, > > We have a requirement to encrypt the passwords defined in the kafka > jaas conf file after enabling SASL_SSL while starting the broker we > are passing the kafka jaas conf file as export argument in the kafka start > script. > JIRA issue is reported is > https://issues.apache.org/jira/browse/KAFKA-13652 > for the same above problem. > > Please suggest if it is already addressed or alternative ways. > > > > Thanks, > KSunil >
