Simply use the API to make a program which configures your router. You can encrypt them in your own software, and use API commands to configure the router as you please.
We have no plan to make encrypted scripts.
Could you explain that a little more?
Copy&paste example using my PHP client (simply adjust desired export filename, encryption password, and router credentials at the top):
<?php
use PEAR2\Net\RouterOS;
require_once 'PEAR2_Net_RouterOS-1.0.0b4.phar';
$filename = 'allsomeoneeleseshardwork';
$encryptionPassword = 'encryption password';
$util = new RouterOS\Util($client = new RouterOS\Client('192.168.0.1', 'admin', 'password'));
//Export the configuration
$exportRequest = new RouterOS\Request('/export');
$exportRequest->setArgument('file', $filename);
$client($exportRequest);
//Wait for the file to become readable
sleep(2);
//Get the file's contents
$fileContents = $util->getFileContents($filename . '.rsc');
//Remove the original unencrypted file
$util->changeMenu('/file');
$util->remove($filename . '.rsc');
//Encrypt the previously fetched content using OpenSSL
$encryptedFileContents = openssl_encrypt($fileContents, 'AES256', $encryptionPassword);
//Save the file on the web server, in the PHP file's folder
file_put_contents($filename . '.rsc.encrypted', $encryptedFileContents);
And to get a decrypted file out of the encrypted one:
<?php
$filename = 'allsomeoneeleseshardwork';
$encryptionPassword = 'encryption password';
file_put_contents($filename . '.rsc', openssl_decrypt(file_get_contents($filename . '.rsc.encrypted'), 'AES256', $encryptionPassword));
If PHP is nor your cup of tea, there are always other API clients, but the main takeaway is to have a separate device that will fetch the file, do the encryption, and perhaps keep the encrypted copy, while removing the unencrypted one (OR store the encrypted file on the router... though that's kind'a pointless when you have no way to import it back in).
Personally, I believe that if you're in any need of encryption, you should use something like TrueCrypt to create and use an entire encrypted storage (be it in "image file" or an actual encrypted HDD partition/drive), and just place your encrypted files in there. It's more convenient, less error prone than encrypting/decrypting individual files (which is what the above code does), and in a sense, it's more secure too.
BTW, in the above approach, there's a small window (just a little over 2 seconds) in which someone with "read,ftp" access to the router may theoretically create a copy of the file, and THAT copy will be unencrypted. It's unlikely in practice, but if you absolutely don't trust anyone with such permissions on the router, you may want to also adjust the API script to forbid logins from all such usernames (by disabling the users in the "/user" menu) until you've removed the file, and re-enable them afterwards.