In most kettle transformation and jobs there are passwords used.
password for db connections are masked in the ktr, kjb and kettle.properties
but this is not encryption.
In our organization we have therefor choosen for project property files that are
maintained by system administrators so they can care for security.
(user access, encryption until runtime, no unencrypted persistance etc.)
In this case of project property files I make use of the job and transformation
parameters and also the get and set variables steps and entries. All of values
that are set will be logged. I think there is no option in pdi for blanking or
masking these values(as also password are clear in log when set to variable)