After discussing with Guillaume, as the LoginModule is loaded by the JRE, it's not easy to "inject" something on it.
The only way is to create a ThreadLocal in OsgiConfiguration storing the Encryption service reference (or the BundleContext):
protected static ThreadLocal<Map<String,?>> params;
public static void setParams(Map<String, ?> params)
and push it into the AbstractKarafLoginModule.
Like this any LoginModule will get at least the BundleContext and so be able to use the Encryption service when needed.