Not sure if I'm doing this correctly, but in reference to this thread:
http://www.liferay.com/community/forums/-/message_boards/view_message/12080537#_19_message_12080076

Either something in Liferay that officially supports storing the DB password encrypted in the portal-ext.properties file, or at least a callout that would allow me to decrypt the value and send it back during startup.

We have client requirements that absolutely will never allow plaintxt passwords stored on disk no matter what the file permissions are.
Thanks for your consideration.

Hi Kevin,

We've considered adding this in the past, but we ended up concluding that when this type of security is needed, you should use a DataSource and most app servers already have support for encryption of passwords. If we implemented it for portal.properties it would be yet another key to keep and distribute.

Makes sense?

I agree with Jorge on this. Just use datasource to define database connection informaiton and encrypt password there.

JBoss:
https://community.jboss.org/wiki/JBossAS7SecuringPasswords

Tomcat:
http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-def

Great, I will take a look at that information. It's a feature I wasn't aware of.
Thank you both for the explanation on this.