Status
Current state: "Under Discussion"
Discussion thread:
JIRA:
Motivation
The KIP which established dynamic broker configuration, KIP-226, specified that this configuration data would be stored in ZooKeeper. It also established an encryption mechanism for secrets such as passwords. We would like to have the same level of protection for secret data in the post-ZooKeeper world of KRaft.
Overview
This KIP introduces the concept of a metadata encryptor. Each encryptor is identified by a unique 16-byte UUID.
While a node can have any number of encryptors configured, only one encryptor is active at once. Configuration records that contain secret data (such as passwords) are encrypted using the currently active encryptor.
Public Interfaces
create encryptor record
delete encryptor record
encrypted config record
default encryptor
(how to add new encryptor)