in reply to Hide DBI password in scripts

If you absolutely have to (++)store the secret and the means of revealing the secret on the same machine, you might want to consider Trusted Computing, where the key is sealed inside a special chip (TPM) and the application has to attest itself (measure its state at various stages to prove that it has not been tampered with) to obtain the key back from the TPM.

The problem is that the trust chain has to wind from as far as BIOS and bootloader (otherwise the attackers will tamper with things you're not attesting1) and that it's somewhat hard to define the state of your application which both is reproducible and proves the absence of tampering. If the former fails, you won't get the correct key even if no attack has happened. If the latter fails, the attackers will find something that's not measured and coerce the application to give up the key. Others have provided lots of examples of state of Perl applications (PERL5LIB, all of %INC, LD_PRELOAD and other dynamic library hacks...) you would have to find and make reproducible if you go down this road. Despite the difficulties, TPM has its uses, for example, in BitLocker, where Windows is able to skip some checks and get the partition encryption key automatically most of the time, but has to ask the user for password if TPM reports that some boot settings do not match their checksums.

Given the requirement of OS and hardware support and the amount of work to ensure state reproducibility, I wouldn't do this myself but perhaps for you it's a more viable option. Instead, I would separate the ciphertext and the encryption key and make it relatively easy for the user to give the key to the app on startup, while also preventing the part of memory from being written out to swap or core dump (some libraries provide abstractions for that). Yes, that means that my app would have to keep running and require user interaction on each restart.

1A working example of that is KonBoot which boots before Windows, modifies its parts in RAM and hands the control back to the boot loader. The modifications make it possible to log in as administrator without knowing the original credentials.