How can I store an encrypted “sa” Logon password  as part of the SQL Server 2014 installation command script? I’d like to store the encrypted password rather than store the plain text password.

The problem of not being able to store an encrypted "sa" password in the SQL Server installation scripts is a technical and auditing requirement. Most companies maintain a SQL Server security policy which includes information about storing passwords.

The comments below refer to :

SQL Server 2005 Installation

SQL Server 2008 Installation

SQL Server 2012 Installation

SQL Serer 2014 Installation

The SQL Server DBA maintains SQL Server Instance build scripts. As part of those scripts  special admin logons, "sa" passwords and service account logons are included as part of the code.

An example of a SQL Server 2008 Installation:

E:\SQL_2008_ENT_R1\Setup.exe /INDICATEPROGRESS /SQLSVCPASSWORD="hsjas667" /AGTSVCPASSWORD="ppipoi89" /ISSVCPASSWORD="tttt7vgjki" /SAPWD="mySApasw1rds" /ConfigurationFile=ConfigurationFile.INI

Attempting to place an encrypted password , and hoping it will work , when attempting to logon as "sa" post-installation  will not work.

To get around limitation requires some scripting capability. The idea is to  execute the  installation command from another scripting environment and force a prompt. At the prompt retrieve the password either programmatically or manually from the password vault.

This could be achieved either through Powershell scripts or a batch file. If anyone has a similar problem and has developed a solution , let me know. As well as being a technical issue , there are also audit requirements to maintain passwords in safe locations.  

Read More on sa password, weak passwords, sql audits

Forgotten sa password - SQL Server DBA

Find Weak passwords in SQL Server - SQL Server DBA

Powershell sql server security audit - SQL Server DBA