I agree with most posters here.

The recommended solution should be to use integrated security and do not encrypt the command line.

The encrypted command line means the "good guys" cannot tell what is going on and have difficulty maintaining the system.