--- id: password-provider title: "Password providers" --- Passwords help secure Apache Druid systems such as the metadata store and the keystore that contains server certificates, and so on. These passwords have corresponding runtime properties associated with them, for example `druid.metadata.storage.connector.password` corresponds to the metadata store password. By default users can directly set the passwords in plaintext for runtime properties. For example, `druid.metadata.storage.connector.password=pwd` sets the password to be used by Druid to connect to the metadata store to `pwd`. Alternatively, users can can set passwords as environment variables. Environment variable passwords allow users to avoid exposing passwords in the `runtime.properties` file. You can set an environment variable password as in the following example: ```json druid.metadata.storage.connector.password={ "type": "environment", "variable": "METADATA_STORAGE_PASSWORD" } ``` The values are described below. |Field|Type|Description|Required| |-----|----|-----------|--------| |`type`|String|password provider type|Yes: `environment`| |`variable`|String|environment variable to read password from|Yes| Another option that provides even greater control is to securely fetch passwords at runtime using a custom extension of the `PasswordProvider` interface that is registered at Druid process startup. For more information, see [Adding a new Password Provider implementation](../development/modules.md#adding-a-new-password-provider-implementation). To use this implementation, simply set the relevant password runtime property similarly to how was shown for the environment variable password: ```json druid.metadata.storage.connector.password={ "type": "", "": "", ... } ```