diff --git a/CHANGELOG.md b/CHANGELOG.md
index fabbf13c..8a7b0fef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file.
   - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept.
   - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation.
   - Use `--console-log-format` (or `CONSOLE_LOG_FORMAT`) to set the format to `plain` (default) or `json`.
+- The operator now defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite` to improve security and performance ([#693]).
 
 ### Changed
 
@@ -46,6 +47,7 @@ All notable changes to this project will be documented in this file.
 [#677]: https://github.com/stackabletech/hdfs-operator/pull/677
 [#683]: https://github.com/stackabletech/hdfs-operator/pull/683
 [#684]: https://github.com/stackabletech/hdfs-operator/pull/684
+[#693]: https://github.com/stackabletech/hdfs-operator/pull/693
 
 ## [25.3.0] - 2025-03-21
 
diff --git a/docs/modules/hdfs/pages/usage-guide/security.adoc b/docs/modules/hdfs/pages/usage-guide/security.adoc
index c4fba6c9..e9c3aa56 100644
--- a/docs/modules/hdfs/pages/usage-guide/security.adoc
+++ b/docs/modules/hdfs/pages/usage-guide/security.adoc
@@ -33,6 +33,7 @@ The `kerberos.secretClass` is used to give HDFS the possibility to request keyta
 
 The `tlsSecretClass` is needed to request TLS certificates, used e.g. for the Web UIs.
 
+NOTE: The hdfs-operator defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite`. This can be changed using config overrides.
 
 === 4. Verify that Kerberos authentication is required
 Use `stackablectl stacklet list` to get the endpoints where the HDFS namenodes are reachable.
diff --git a/rust/operator-binary/src/security/kerberos.rs b/rust/operator-binary/src/security/kerberos.rs
index c960d913..0b03280a 100644
--- a/rust/operator-binary/src/security/kerberos.rs
+++ b/rust/operator-binary/src/security/kerberos.rs
@@ -52,6 +52,10 @@ impl HdfsSiteConfigBuilder {
     fn add_wire_encryption_settings(&mut self) -> &mut Self {
         self.add("dfs.data.transfer.protection", "privacy");
         self.add("dfs.encrypt.data.transfer", "true");
+        self.add(
+            "dfs.encrypt.data.transfer.cipher.suite",
+            "AES/CTR/NoPadding",
+        );
         self
     }
 }