Simple answer is that we don't: We leave our package unencrypted because there is nothing earth shakingly proprietary about it and clients own the data do there's nothing to hide. If we did have to deal with encrypted packages I'd probably smash my head against my desk. Actually considering dumping SSIS got this because our Oracle equivalent is just a bunch of procs and its easier to install and use and its quicker too!