With OpenSSL, there are two ways in bash to use an environment variable as a password:
pass:"${var}" and env:var.

I am wondering which method provides the most security, as the man page makes it seem like ps can read the password when passed as pass:"${var}", and that it might also be possible with env:var.

Relevant section of the OpenSSL man page:

Pass Phrase Arguments

Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.

pass:password

the actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important.

env:var

obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution.