Here is the general scenario: You have written a webapp that connects to a database. However, for this it needs a database username and password. You know that it is not a good idea to read password values from a configuration file, as anyone with read access to this file will get complete access to the database.
So, what do you do? One of the guys I came across had a clever solution to this problem. He had a configuration tool that asked the user to enter the password, encrypted the password and then stored the encrypted value in the configuration file. At the startup time, the webapp will read this files, decrypt it and then use the real password to connect to the database.
When I asked him what encryption key did he use and how did the webapp get it, he replied that he has the key deep buried in the code, away from the reach of most users.
Anyone who knows even ABC of security will realize that it buys him no real security, for anyone with slightest amount of determination will retireve the key within minutes. But apparently, his customers felt safe in the knowledge that the password is not kept in clear. I guess, few bothered to ask the details of the encryption process.
There is a straight-forward solution to this problem: ask the admin. to supply a password at the time of webapp start (or the webapp container start) and then use this password as the encryption key. However, it does make the process of startup a bit inconvenient.