BSA's configuration files and data (blasadmin) contains passwords (database, keystore, etc...) that are simply being encoded by blenc into a string that can't be read without being decoded first. That said, anyone with access to the blenc command (namely, anyone with a BSA environment or a BSA console installed) can decode the string back into clear text without the need to know any passphrase.
This is extremely unsecure, but yet nobody seems to mind. Password type properties are also using blenc to encode the passwords, so they are not even encrypted. The hidden password input fields you get when filling the value for a password type property are actually an illusion. All they are doing is they are encoding the password using blenc, and then later if you need to use it inside a script, you need to use blenc -d to decode it. But then again, anyone with access to the command can do it without having to know any secret passphrase because it's not encrypted, it's just encoded.
I suggest that all passwords stored by BSA should be actually encrypted and not simply encoded.