Page History

...

• Name: password.encoder.secret  Type: Password
• Name: password.encoder.old.secret  Type: Password (only used when password.encoder.secret is rotated)

• Name: password.encoder.keyfactory.algorithm  Type: String Default: PBKDF2WithHmacSHA512 if available, otherwise PBKDF2WithHmacSHA1 (e.g. Java7)
• Name: password.encoder.cipher.algorithm  Type: String  Default: AES/CBC/PKCS5Padding
  
• Name: password.encoder.key.length Type: Integer  Default: 128
  
• Name: password.encoder.iterations  Type: IntegerDefault: 2048 4096 

The secret will not be dynamically configurable and hence will never be stored in ZooKeeper. All the dynamic password configs are per-broker configs and hence there is no requirement to maintain the same secret across all brokers. To change password.encoder.secret, each broker must be restarted with an updated server.properties that contains the new secret in the config password.encoder.secret as well as the old secret in the config password.encoder.old.secret. The broker will decode all passwords in ZooKeeper using password.encoder.old.secret and update the values in ZooKeeper after re-encoding using password.encoder.secret. The configpassword.encoder.old.secret will be used only if the passwords in ZooKeeper are encoded using the old value and will be ignored otherwise.

...