I'm looking for an encryption utility/software that will help me do the following: I have a script that runs periodically that will look at a file containing an SQL password which it uses to perform a DB query and return the results to a reporting engine. I would like to encrypt the file (or the password), but don't want to put the passphrase into the script (defeating the purpose of the encryption). I was wondering if it is possible to have the script fetch an encrypted (but not hashed) password out of file and send it to a utility to get the real password in order to perform the SQL queries, and if so, what it the utility/program/software package?

But then you'd have to send the encryption key in order to for the utility to un-encrypt the password... unless you plan to hard code that key into the utility ...

It's the classic problem for auto de-crypting without leaving the key lying around ..

One soln is to supply the key (manually) on prog start-up and make the prog a daemon, so it only has it stored in memory.

Another is to have the key stored elsewhere and have the prog use an ssh-auth-key to go get it.
See also ssh-agent, which creates an env that can store the auth in memory for any process in the same tree.

This qn should produce some interesting answers...

Isn't this like the problem where you have an SSL cert for your apache install? When your server reboots and apache starts again, you either have to A) make arrangements for the password to be supplied to apache on startup OR B) you have to decrypt your private key and just leave it stored on the file system somewhere. I don't think I've ever seen anyone opt for arrangement A. If your server reboots, memory is wiped, and there's no one around to supply the password.

I'm curious about what chrism01 has described, but I believe that most practical situations require that you store the password somewhere on your file system. It's a chicken/egg problem. If it's not stored on the file system, the machine is helpless to get started without your help or without retrieving the password from somewhere. I can imagine the machine might have a *different* password that it uses to authenticate with some external system to ask nicely for the password and then move along, but then you have the issue of this sensitive password getting passed around.