CXF 3.0.0 supports using encrypted passwords in Crypto properties files. The CallbackHandler must supply the password used to decrypt the encrypted password in this scenario. See here for more information:
http://ws.apache.org/wss4j/newfeatures20.html
http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-iv.html
Colm.