You can make a password-encrypted keyfile
with MyEtherWallet online, or offline with geth
https://geth.ethereum.org/docs/interface/managing-your-accountsFor example, you'll get this kind of printable JSON-encoded plaintext keyfile:
{
"version": 3,
"id": "4fa372ab-2035-4ede-a302-df4c270a105b",
"address": "fe5bcdeec9b48b63b43d58af8aa78adaad32975e",
"crypto": {
"ciphertext": "9dd28202137a2314ed1ac03569bf285eba31d7f608fb4c8c06fd33bf1b309a01",
"cipherparams": {
"iv": "7c2c4b08137b470b0e4ccc11721b2cf7"
},
"cipher": "aes-128-ctr",
"kdf": "scrypt",
"kdfparams": {
"dklen": 32,
"salt": "de8c8ee7aafceb79682c4ead2128885541c2f903ef048a3ee095770bb2cd6bb8",
"n": 131072,
"r": 8,
"p": 1
},
"mac": "9443d46fba7f19a2af2cfcd11068d0457a5636ec92468328fe4e93ed0f084116"
}
}
That is a pretty future-proof way to do it. Be sure to do a test run to make sure you can actually decrypt it afterwards!
As an aside, I wonder if there is a way to encrypt a cold wallet with multiple layers of passwords, such that you can be alerted if the first layer is broken and used on a special delayed release contract, giving you a chance to recapture the coins within a certain time period with a backup account...