You can create an XML upgrade status file and run the Content Engine Upgrader. The Upgrader does not encrypt the passwords or any other sensitive data. If your site requires compliance with FIPS-140, then use Content Engine Web Upgrade Tool (which does not store passwords).
The command-line Content Engine Upgrader gathers data from the Content Engine version 3.5 Global Configuration Data (GCD). It then creates an XML upgrade status file that represents the items that can be upgraded.
The XML file contains placeholders, which you must manually edit, for system settings that cannot be derived from the GCD, such as authentication settings. Each placeholder is indicated by the character string ###.
To run the command-line Content Engine Upgrader: