Encrypt or hide ES credentials in td-agent configuration file

We have a td-agent configuration file that connects to elastic search with SSL enabled. User and password is used for safe connection. But these credentials are in plain text. How to encrypt or hide these credentials?

<match *>
@type elasticsearch
host <host_name>
port <port_no>

logstash_format true
logstash_prefix cmm-acquirer-unikix
user <user_name>
password <password_in_plain_text>

ca_file ./certs/elasticsearch-ca.pem
ssl_verify true
scheme https
ssl_version TLSv1_2

This sounds like a question better directed at the td-agent community.