The best 'workround' I can think of would be to create a command file that passes the passwords at execution time, instead of storing them in a configuration file.
This would allow you to encrypt the command file, while leaving the rest of the install media unencrypted and without any sensitive information.
It should be possible for the owner of the encrypted command file to run the command within it, without non-authorised people able to see its contents.
Once the passwords have been passed to the SQL install process they are held in memory, and any time a password needs to be printed it is shown as a fixed number of *.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara