Instead of providing credential store’s master password in the clear, we should allow providing that password using a pseudo credential store.

Command
External command using java.lang.ProcessBuilder. If parameters are needed, they are supplied using a comma-separated list of strings. An external command refers to any executable from the operation system, for example a shell script or an executable binary. The password is read from the standard output of the executed command.

<command-credential command="/path/to/command.sh arg1 arg2"/>

MASK
Masked password using PBE, or Password Based Encryption. It must be in the following format, which includes the SALT and ITERATION values:

MASKED_VALUE;SALT;ITERATION

<masked-credential masked="NqMznhSbL3lwRpDmyuqLBW==;12345678;123"/>