The bottom line is that somewhere needs to have the "root-of-the-chain" password in an unencrypted form. An OS-protected local file, an OS-protected remote file, hardcoded in the source, etc.
The only way around that is to require a human to type the initial password at application start, which obviously isn't possible for applications which need to autostart.
