0

How to encrypt Kafka security configuration passwords at broker and client side.

I am currently storing the Kafka security configurations(password related configs) in Plain-text format in the following ways

  1. at the Kafka server side in Kafka/config/server.properties
    ssl.truststore.password=
    ssl.keystore.password=
    ssl.key.password=
    listener.name.sasl.ssl.scram-sha-256.sasl.jaas.config.password=

the values are Plain-text passwords
  1. at the client side in application.properties
    spring.cloud.stream.kafka.binder.jaas.options.password = 
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password =

the values are Plain-text passwords

but I instead of storing these passwords as Plain-text, I want to store them in encrypted form at both the above places. I am looking for some sample examples for the same as I couldn't find any helpful resources for the same.

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
Sudarsh1
  • 1

1 Answers1

1

For the broker, I'm not sure you can. Rather, you'd limit who can access the server. You can use scripts to generate the file from external services like Vault, but the file itself will still consist of plaintext values.

For the client, Spring properties can use variable interpolation with environment variables, Spring Config Server, Vault etc.

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
  • Hi @OneCricketeer, I have found other stackoverflow responses where some people suggest to use this at the broker side http://kafka.apache.org/documentation/#dynamicbrokerconfigs but with this I am not sure how to proceed on the client side. If you have any suggestions on this, that would great. Thanks for the earlier response – Sudarsh1 Jun 06 '23 at 11:22
  • That solution requires Zookeeper, but Zookeeper will be removed in new versions of Kafka, so I don't recommend following that at this time... For clients, as I said, there's nothing unique to kafka here. Read Spring boot documentation on application configuration and externalized config – OneCricketeer Jun 06 '23 at 12:21