diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf2c12eb..ad70d71c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,12 @@ All notable changes to this project will be documented in this file.
 
 - Document Helm deployed RBAC permissions and remove unnecessary permissions ([#693]).
 
+### Fixed
+
+- Redact the user-provided PKCS#12 keystore password in operator logs. ([#706]).
+
 [#693]: https://github.com/stackabletech/secret-operator/pull/693
+[#706]: https://github.com/stackabletech/secret-operator/pull/706
 
 ## [26.3.0] - 2026-03-16
 
diff --git a/rust/operator-binary/src/format/convert.rs b/rust/operator-binary/src/format/convert.rs
index a7d837e6..37f65757 100644
--- a/rust/operator-binary/src/format/convert.rs
+++ b/rust/operator-binary/src/format/convert.rs
@@ -22,7 +22,7 @@ pub fn convert(
         (WellKnownSecretData::TlsPem(pem), SecretFormat::TlsPkcs12) => {
             Ok(WellKnownSecretData::TlsPkcs12(convert_tls_to_pkcs12(
                 pem,
-                compat.tls_pkcs12_password.as_deref().unwrap_or_default(),
+                &compat.tls_pkcs12_password.unwrap_or_default(),
             )?))
         }
 
diff --git a/rust/operator-binary/src/format/well_known.rs b/rust/operator-binary/src/format/well_known.rs
index 495b0ea9..4a9da944 100644
--- a/rust/operator-binary/src/format/well_known.rs
+++ b/rust/operator-binary/src/format/well_known.rs
@@ -4,7 +4,10 @@ use stackable_operator::schemars::{self, JsonSchema};
 use strum::EnumDiscriminants;
 
 use super::{ConvertError, SecretFiles, convert};
-use crate::{backend::ProvisionParts, utils::ResultExt};
+use crate::{
+    backend::ProvisionParts,
+    utils::{ResultExt, Unloggable},
+};
 
 const FILE_PEM_CERT_CERT: &str = "tls.crt";
 const FILE_PEM_CERT_KEY: &str = "tls.key";
@@ -168,7 +171,7 @@ pub struct CompatibilityOptions {
         rename = "secrets.stackable.tech/format.compatibility.tls-pkcs12.password",
         default
     )]
-    pub tls_pkcs12_password: Option<String>,
+    pub tls_pkcs12_password: Option<Unloggable<String>>,
 }
 
 /// Options to customize the well-known format file names.
diff --git a/rust/operator-binary/src/utils.rs b/rust/operator-binary/src/utils.rs
index 9821d364..637377be 100644
--- a/rust/operator-binary/src/utils.rs
+++ b/rust/operator-binary/src/utils.rs
@@ -181,6 +181,15 @@ pub fn asn1time_to_offsetdatetime(asn: &Asn1TimeRef) -> Result<OffsetDateTime, A
 // When/if migrating to Valuable, provide a dummy implementation of Value too
 pub struct Unloggable<T>(pub T);
 
+impl<T> Default for Unloggable<T>
+where
+    T: Default,
+{
+    fn default() -> Self {
+        Self(T::default())
+    }
+}
+
 impl<T> Debug for Unloggable<T> {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.write_str("<redacted>")
@@ -201,6 +210,12 @@ impl<T> DerefMut for Unloggable<T> {
     }
 }
 
+impl<'de, T: serde::Deserialize<'de>> serde::Deserialize<'de> for Unloggable<T> {
+    fn deserialize<D: serde::Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
+        T::deserialize(deserializer).map(Unloggable)
+    }
+}
+
 /// Wrapper type for [`Iterator::collect`] that flattens the incoming [`Iterator`].
 ///
 /// This isn't super useful for "regular" collects (just call [`Iterator::flatten`]!),