As it happens I have been working on a similar problem myself recently.

The approaches I considered where to pass the password as and environment variable, or to pipe it to the child process on it's stdin.

Both are a bit more secure than a plain argument on the command line, but neither is that secure. For example on linux you can read the environment variables of any process by reading /proc/<pid>environ (Try: hexdump /proc/$$/environ -C to read the environment of your shell). Data piped thru stdin on the child is probably a bit more secure, as it is transient, but I dare say there would be a way for an attacker to read it.

The bottom line is that if an attacker already has root on the destination box, and is prepared to put some time into it, he can subvert any security scheme you can come up with, so what you need to do is come up with a threat model and work out what kind of attacker you need to defend against. How clever are they? What privileges do they have on the box?

I would use an existing “secure tunneling” protocol, such as VPN or SSH, both using digital certificates, not passwords, as the foundation of my system.   Establish a secure channel of communication between the two systems using existing technologies, and use it for the entire interaction.

A “hacker” would have to gain possession of both the digital certificate and the password used to encrypt it.   (And, if you like, the IP-address embedded therein, depending on exactly what technology you use.)   Not gonna happen, presumably.   And if it somehow did, you simply invalidate that cert and issue another one.   (None of this costs money.)   Both sides know not only that their communications are secure, but that they are talking to the intended party.