Proper way to handle encrypted passwords in deployment process.

I have an encrypted data file which stores credentials for an environment - these credentials are used as part of an automated scripted deployment solution. Basically a process runs a number of scripts/installers to configure a windows environment, if one of these scripts/applications needs a password a 'middle-man' application is called with an 'action' parameter which will then call the target application directly and pass in the decrypted username/password pairs.

The idea behind this is the 'middle-man' application will be the only tool capable of decrypting the password and will then be only to run a defined set of commands using these passwords. By defining the exact commands that can be run and passed a secure parameter I can ensure no passwords are logged and that the "middle-man" application cannot be used in an improper way...

Hopefully that makes sense... The question here is - is there a better way of doing this, it seems like a very over-engineered solution which requires rewrites of the "middle-man" application every time a new action is needed in the installation process which requires a password?

Any ideas appreciated.