I see on the page Settings Encryption a section about the MSBuild.SonarQube.Runner configuration file. But the documented portion has a format which doesn't match the example SonarQube.Analysis.xml file.
However, I have tried putting these properties in the SonarQube.Analysis.xml file, in a format corresponding to the current one. Long story made short, the msbuild.sonarqube.runner puts the {aes}encrypted password in the Basic authorization field of the HttpRequest sent to SonarQube.
I guess that the client should unencrypt the password before putting it in the Authentication header. Otherwise, the sonarQube server won't allow the user to query the properties Uri (something like /api/properties?resource=projectKey)
You're right, I've fixed the documentation to reflect the effective format of the SonarQube Scanner for MSBuild.
Regarding the encryption of the sonar.password property, this is currently not supported by the MSBuild Scanner: It does not (yet?) know about the encryption logic, and therefore sees the raw encrypted value only. However, some other properties can be encrypted: the ones that are read during the end step of the SonarQube Scanner for MSBuild, which is under the hood launching the sonar-runner.
I've created the following ticket to keep track of this limitation: https://jira.sonarsource.com/browse/SONARMSBRU-192