No, you should not have to. On the client side you enter the clear text password, that will be validated against the stored one.
Upon debugging I saw that in the "embedded" deployment the the CryptoUtil.java file which loads the keystore file was loaded with "client" application class loader (as this class is in the teiid-jdbc.jar), however the "deploy" directory where the keystore file is loaded by another class loader. So, CyrptoUtil class is not finding the the keystore and treating as if the "encryption" was not enabled. This will work correctly in the Server environment with out any changes.
This can be worked around in "embedded" by putting "teiid.keystore" file your class path, or adding "deploy" directory to the classpath.
Adding the deploy folder to the classpath worked. Thanks!