Using wpa_supplicant Without Plain Text Passwords – Security Guide

Unfortunately I have to answer the question myself now. "Unfortunately" because the answer is "No, it is not possible".

I took a look at how PAP is working, and came to the conclusion that it is logically impossible to store the password as a hash value.

With PAP, the username and password are sent directly to the authentification side. Therefore, the password must be known, knowing some hash is not sufficient.

Thx @tink for searching nevertheless.

But I still could not find anything about this external storage thing. Solution for me in this special case is using a unencrypted wifi (which is also provided by my university) and a VPN.

Here is how I wound up solving the problem.

First, I created a separate key server that starts up at the same time as the main server. Its sole purpose is to hand out keys to authorized processes. It does this by running an md5sum on the calling binary, then seeing which keys that binary is allowed to access. The calling binary (in this case, the script, which has been compiled to an executable) requests the keys from this server and then proceeds as normal.

The key server runs all the time and maintains a keychain password in its own memory. On startup, it does not have the keychain password, and thus cannot respond to requests for keys. So before it can do this, it requires that the keychain password gets set. This can be done via a web interface or the command line and requires user interaction. This secures the system by requiring that somebody physically enter the correct password. This generally only needs to be done once per reboot, since the key server never terminates.