Goodname,
Any Lazarus program, regardless of what it is meant for, can have a local or remote database that it accesses for data that one needs to, or is wishes to, be private and INDEPENDENT from the code.
The level of security is then determined by the database, including encryption, if necessary. No need to use encryption in the application itself, which can create the problem as mentioned in the o.p.
The problem is insuring private encryption keys are known to client and server before network communication begins. So build the database to store the private encryption key. Now the database login information must be known. If your lucky the user provides this information. If not the login information must be somewhere on the client and server. Can you suggest a way to obscure this login information so that it is very difficult for someone to reverse engineer?
This can be a problem with public key encryption as well. With public encryption the decryption key must be hidden somewhere on the receiving side.
Sure, goodname.
The passwords should always be gatherered by dialog or prompt, as you say.
Otherwise, by which ever mechanism starts an application, usually a scheduler, the password is put there, and never with the code.
When a password is found in an isolated environment, with no mention as to where it applies, there, it is comparable as to if someone finds your carkeys somewhere, but there is no tag to relate it to the user or object that it opens. The password, additionally, could be in a usbstick, or for that matter, almost any where (somewhat like having a dongle).
The main thing, though, is that the main security is ensured not by obscurity, but is a "visible" or known security (that of the database itself). It is visible in the sense that a keyport is visible in our house-doors, or on older car doors.
When we use security by obscurity, sometimes we can't even find it ourselves, which is not too publicized, but happens to be a common security problem: example many people often can not find their keys (if we hide them from others), or people forget or can't find their passwords.
For passwords, and certain other things, I have as a default text editor in my Windows 7, an editor that has the option to encrypt/decript. I never have saved, nor save the file while it is unencrypted. I also have remote backups of that encrypted file.