Automatically use the DPAPI to encrypt the passwords stored in the HKCU. This seems reasonable because the HKCU is bound to a given user.
When Exporting a configuration, use the current simple encryption.
When Importing a configuration, assume the current simple encryption.
The advantage would be that scripts running as the current user would not need to specify passwords and the passwords in the HKCU would be secure.