I have a backup script I wrote that mounts a cifs share, creates an encrypted zip file, moves that file to the cifs share, and unmounts it. I have my windows password as well as my 7zip password in the script. Currently I have root's cron job running it every night at midnight and the script itself is stored in /root. I would like to not hardcode these passwords but I don't really see a way around it. Are there best practices for this type of situation? Thank you.

If the script is only ever accessed by the root user, one way is to make sure the script is owned by root, and set permissions so that only root can open the file;
That will give root user access for read/write/execute (but no other user can access or execute the file).

You could also use a keyring application (eg; gnome-keyring) to retrieve the password, but this still requires a secondary password to unlock the keyring, which may not be suitable for an automated cron job.

I would say changing the permissions (chmod 700 / chown root:root) would be suffice for a script running as a cron job.

I'm not sure if 7zip can do this, but you can use a key file with most encryption. That still isn't ideal, because someone could steal the key file.

I wouldn't rely on any of the encryption provided by 7zip. In fact, I'd avoid symmetric encryption if you can do so and use asymmetric incryption instead so that you won't need a passphrase to do the actual encryption.

If you're asking about best practice, then OpenPGP is the way to go so the data can be both encrypted and signed, but at least encrypted. You probably already have GNUpg 2 installed and available, it uses OpenPGP. If your system is a desktop, then it is also quite likely that you have an OpenPGP agent up and running.

That way you can use asymmetric encryption for automatic encryption without having to worry about your passphrase getting stolen. For decryption, you'd need the corresponding private key and its passphrase but those can be kept separately, perhaps even on a separate machine.

Here's how it'd be done for key 474EA2F4F9BBB0CA3705AEDD965A4FB116B21B9 using gpg2 which uses OpenPGP:

That would give you the encrypted file file.gpg while leaving the original clear text unchanged. The original would have to be deleted manually, same for any residue left in the file system if that is important. Or you could have gpg2 read from stdin and pipe in the output directly from 7zip instead. Here's how it'd be done with the regular tools, I'll leave 7zip up to you.

See "man gpg2" and "man gpg-agent"

In certain situations it makes sense to store the passwords in a sepearate file that is extra secured.
Then the script can do
Each read reads one line into a variable.