Use the esp_encrypt executable to encrypt passwords in a cluster node configuration file (<node-name>.xml) for new nodes, or to re-encrypt existing values.
The key password element is optional. While the keystore password locks the entire keystore, the key password only locks a specific key within the store. If the key password is not specified, ESP uses the same password for both elements.