Key management
The credentials file, creds.ini, contains both cached passwords fetched via the Bravura Privilege API and the current value of the one-time password. This file needs to be protected, which in practice means encrypted.
The question then is how to synthesize an encryption key to use when encrypting passwords in this file? A plaintext key is clearly not desirable, since the whole point of the API is to eliminate plaintext passwords (keys and passwords are essentially interchangeable).
The only realistic option is to have the API wrapper synthesize a key from characteristics of the runtime environment. This way, if the credentials file is moved to another machine or if an attacker gains partial access to the server or its filesystem, the key generation process would yield a new key and so cached credentials and the OTP will become unavailable.
The runwithpass program and the pamutil library support a number of inputs into the key generation process:
Characteristics of the machine running the software; that is, IP address, MAC addresses, hostname, and so on.
A cryptographic hash of one or more files on the filesystem.
A cryptographic hash of the entire command line being executed by the program.