You need the password that encrypted the package to decrypt any sensitive data, without it the password to any sql connection as well as any other sensitive data is garbage. Should not be using SA and should not be using SQL server accounts for SSIS packages. Change to windows authentication so it can run under the service account or a proxy to control access.

And of course it works fine when running from BIDS since the password is provided, but once the package is saved the password is removed if it's not encrypted. If you set DoNotEncryptSensitive data I believe it will not save passwords since that's considered sensitive data. It doesn't mean than it's going to leave it in clear text, it means it's not going to save it, hence use Windows authenticate.

If you have to use sql server login then you can encrypt with user credential of the user account that will execute the job (i.e. sql agent job service account) then when it runs under that account in the job it's the same user so it will decrypt the passwords correctly.

Edit:

Just wanted to add that the last part about logging in as a service account to encrypt the package under that user credential so it will run in a job is not recommended. It's just a way to do it if you want to use the sql server logins and you're not given the password that encrypted the package if the package is encrypted with a password.