Thanks for the clarification and yes your not the only one i stand corrected on that. I know that even CPanel stores the root password in a file above the public_html in the same format and this too i dont like. I guess you are correct in that there is no way of getting around it. In many ways and with many applications on the market it may not be the best thing but "it is what it is" in todays way of doing things. I will never think its OK but ill have to live with how things are done just like everyone else i guess.
Regarding the message in the config process on the answer file.
Instead of just "This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster."
How about something like
"This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster. (red text) Providing this feature means that sensitive data must be stored in this file. (end red text) It is important that if you wish to save this file that you do so in a security conscious way. The safest way is to save the file offline in a secured environment. However if you choose to save it on the server just be sure to apply the same 600 permission to the file and/or folder itself as root:root in order to provide proper security for the data. Also we recommend that you remove all the answer files (kalt.ans) from the /tmp directory."
Hows that? And also add something like this to the install docs as well...