[kovidgoyal]

There is no secure way to reversibly store a secret on disk against an attacker that can run local code.

1) Even if you encrypt the stored secret with x-doo-dah-super-dooper encryption, based on a passphrase from the user, all the attacker has to do is spoof the program and ask the user for the passphrase. Or use a privilege escalation exploit to gain root and read the password from process memory. Or run a dictionary/brute force attack on the passphrase. And really, if you are saving the secret to disk, then that means you dont want the user to enter the password every time, which means storing it in a keyring. And all keyrings I know of are completely insecure against attackers that can run code locally.

2) There is no way to secure a secret safely in RAM against an attacker that can either run code in the calibre process or run code as root in the machine.

3) All operating systems have many local privilege escalation expolits.

Basically, once an attacker can run arbitrary code on your machine, you are hosed.

So about the only case where you can (somewhat) hope to store a password securely is against an attacker that can read arbitrary files on your system, but not run arbitrary code. That is a very small subset of attackers, unless you are running afile server.