encrypt the password in jaas conf

[Sunil Kumar <ks...@gmail.com>]

Hi,

We have a requirement to encrypt the passwords defined in the kafka jaas
conf file after enabling SASL_SSL while starting the broker we are passing
the kafka jaas conf file as export argument in the kafka start script.
JIRA issue is reported is https://issues.apache.org/jira/browse/KAFKA-13652
for the same above problem.

Please suggest if it is already addressed or alternative ways.



Thanks,
KSunil

Re: encrypt the password in jaas conf

[Sunil Kumar <ks...@gmail.com>]

Hi,

Can anyone update me on the solution requested to encrypt the credentials
in kafka jaas conf file and in server.properties.


Thanks,
KSunil

On Tue, Feb 8, 2022 at 10:46 AM Sunil Kumar <ks...@gmail.com> wrote:

> Hi,
>
> We have a requirement to encrypt the passwords defined in the kafka jaas
> conf file after enabling SASL_SSL while starting the broker we are passing
> the kafka jaas conf file as export argument in the kafka start script.
> JIRA issue is reported is
> https://issues.apache.org/jira/browse/KAFKA-13652 for the same above
> problem.
>
> Please suggest if it is already addressed or alternative ways.
>
>
>
> Thanks,
> KSunil
>
>
>

RE: encrypt the password in jaas conf

[Bill Gibson <bi...@microfocus.com>]

For SASL/PLAIN, an option for client code is to use the sasl.jaas.config property instead of a jaas property file.
You can store the password encrypted, decrypt it at runtime, and set the "sasl.jaas.config" property in the client configuration properties.
I have used this method.

For the broker jaas configuration, you might be able to keep plaintext password out of a file by setting the broker sasl.jaas.config property at runtime with kafka-configs.sh.
The Kafka docs say this property can be dynamically updated per-broker.
https://kafka.apache.org/documentation/#brokerconfigs_sasl.jaas.config
I have not tried setting the broker property dynamically.

The docs say you can avoid plaintext stored passwords by using a SASL callback handler to decrypt credentials.
https://kafka.apache.org/documentation/#security_sasl_plain_production

Bill

-----Original Message-----
From: Luke Chen <sh...@gmail.com> 
Sent: Monday, February 7, 2022 10:47 PM
To: Kafka Users <us...@kafka.apache.org>
Subject: Re: encrypt the password in jaas conf

Hi KSunil,

Sorry, there's no encryption support for kafka jaas configuration.
You could consider to configure SCRAM for stronger security.
ref:
https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_scram.html

Thank you.
Luke



On Tue, Feb 8, 2022 at 1:06 PM Sunil Kumar <ks...@gmail.com> wrote:

> Hi,
>
> We have a requirement to encrypt the passwords defined in the kafka 
> jaas conf file after enabling SASL_SSL while starting the broker we 
> are passing the kafka jaas conf file as export argument in the kafka start script.
> JIRA issue is reported is
> https://issues.apache.org/jira/browse/KAFKA-13652
> for the same above problem.
>
> Please suggest if it is already addressed or alternative ways.
>
>
>
> Thanks,
> KSunil
>

Re: encrypt the password in jaas conf

[Luke Chen <sh...@gmail.com>]

Hi KSunil,

Sorry, there's no encryption support for kafka jaas configuration.
You could consider to configure SCRAM for stronger security.
ref:
https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_scram.html

Thank you.
Luke



On Tue, Feb 8, 2022 at 1:06 PM Sunil Kumar <ks...@gmail.com> wrote:

> Hi,
>
> We have a requirement to encrypt the passwords defined in the kafka jaas
> conf file after enabling SASL_SSL while starting the broker we are passing
> the kafka jaas conf file as export argument in the kafka start script.
> JIRA issue is reported is
> https://issues.apache.org/jira/browse/KAFKA-13652
> for the same above problem.
>
> Please suggest if it is already addressed or alternative ways.
>
>
>
> Thanks,
> KSunil
>