"Reversible" passwords

I have found a reference to a concept called "reversible" passwords; that is, instead of
storing the hash of a password, an encryption of the passwordis stored instead.

I have a client that has a need for this feature. The problem is that although there are
references to it, there is no discussion about how one gets the password from the database
where passwords are kept, and decrypts it.

Please, I do NOT want a lengthy discussion about why reversible passwords are a Bad Idea,
or why getting the plaintext of a password is a Bad Idea. I, and a client I have,
*understand* these issues. If it helps, the context is a system service running on a
physically secured server that has to log a child process in as another (more restricted)
user. What I'm looking for here is the *technology* involved: how to select the use of
reversible passwords, and how to get the plaintext back for one, given a specific user
name. DO NOT bother to explain to me about security. I understand the issues. What I
don't understand is one specific technological path to implement one specific solution in
one specific restricted context, which has been evaluated by a client as being an
acceptable and necessary situation. Because of NDA, I cannot get into specific details of
who, why, what, etc. Assume we have addressed all the relevant security issues of the
plaintext password problem and have done appropriate risk management in the context of the
problem domain. Now we need the APIs involved to obtain the password.

(Note that none of this would be an issue if there were existing Trusted Computing Base
implementations, but we have to deal with Reality As It Is). If you have a solution and
don't want to post it for public visibility, you can send me private email on the topic.
TIA
joe
Joseph M. Newcomer [MVP]
email: newcomer@flounder.com
Web:
MVP Tips: