Kafka: hardcoded password in configuration is insecure

Kafka serves as a block in a log shipping solution, data lake solutions, messaging and queue solutions. As such it is a vital and sensitive part of information security.

Using SSL keys are a good practice, however the key password should be kept confidential and in a safe place. The use of hardcoded password nullifies the idea of securing the key with a password.


In server.properties, producer.properties, consumer.properties:


The same applies for ssl.keystore. and ssl.key. configuration prefixes.


Use an environment variable. In Kafka, configuration properties are prefixed by KAFKA_ and are converted to UPPER_SNAKE_CASE:


If it is not possible to use environment variables, you may want to use production-only templating solutions such as confd.