Kafka: hardcoded password in configuration is insecure

Kafka serves as a block in a log shipping solution, data lake solutions, messaging and queue solutions. As such it is a vital and sensitive part of information security.

Using SSL keys are a good practice, however the key password should be kept confidential and in a safe place. The use of hardcoded password nullifies the idea of securing the key with a password.

Problem

In server.properties, producer.properties, consumer.properties:

ssl.keystore.password=test1234

The same applies for ssl.keystore. and ssl.key. configuration prefixes.

Fix

Use an environment variable. In Kafka, configuration properties are prefixed by KAFKA_ and are converted to UPPER_SNAKE_CASE:

KAFKA_SSL_KEYSTORE_PASSWORD=xyz

If it is not possible to use environment variables, you may want to use production-only templating solutions such as confd.

See