Attributes in the configuration which contain confidential information such as passwords are annotated as "secure" in their definition. This is used to prevent their disclosure through querying operations.
However it may be the case that this information needs to be encrypted even within the configuration store. In this case the key material needed to decrypt the confidential information must be held outside the configuration mechanism (otherwise we are just shifting the problem around).
Deployment environments may have site specific mechanisms my which encryption may occur, so the encryption mechanism must be pluggable and configurable at the broker (and potentially at the virtual host node) level.