the parameter 'password', requires the password for 'username', used to connect to the restman interface. OOTB, the the Identity store that is used for authentication/authorization is the 'Internal Identity Provider. So, said password, must reside in there, and based on the access that user has, will be able to do the same, with GMU/Restman.
Also keep in mind that 'password' should be 'encoded' via the GMU command 'encodePassword'.
encodePassword command - CA API Gateway - 9.2 - CA Technologies Documentation
You can bypass the encode requirement via using the plaintextPassword argument instead, but isn't as secure for obvious reasons.
'encryptionPasshrase' is the argument used to help 'encrypt' items such as passwords/privateKeys in the bundle upon export. Keep in mind that this exact encryptionPassphrase must be passed in as an argument upon 'migrateIn', so that it can do the necessary decryption before applying the bundle.
This helps ensure that while your bundle is at rest, your passwords and Private keys aren't usable.
hope this helps,
Doyle