Hardcoded encryption keys, impossible to avoid ?
this question kinda clarify the situation https://security.stackexchange.com/questions/6612/how-can-i-decrypt-data-with-java-without-hard-coding-the-key
essentianaly this is known as a bootrap security, you can have a user create a KeyStore that will store the public,private and secret keys that will be used to encrypt and decrypt the passwrods of the user, the password that was set by the user will also be stored but where?? any secure sotrage for that password will require a key of some sorts,for example
1. use of symmetric key to encrypt the password , will require the the key itself to be harcoded?
2. use of external source such as ldap will require a password for that source as well,
essentially the secret to the secret to the secret can never be configured externally, so this warning will always appear!