Carl, as I mentioned before, iControl works just like the BIG-IP GUI. It supplies it's credentials with the WWW-Authenticated header over an SSL connection. On the client side, you have full control of how you want to manage your credentials. You can store them in plain text in the script, you could encrypt/decrypt them from somewhere on disk (although the caller of the script would need to have the key to decrypt them - or the script would), or you could use a 3rd party service to authenticate the user and then return the BIG-IP creds to your script. But ultimately the will have to be in some form of clear text before passing them on the BIG-IP.
For PowerShell, I created an alternate parameter in the Initialize-F5.iControl that takes as input a PSCredentials object which can have a secure password. That may be of some use if you have a way to serialize that object securely in your system.
Hope this helps...
Nimbostratus