Joey asked:

have you done anything in obnam to deal with it needing to keep the symmetric key, decrypted, in RAM?

yeah, it's tough. probably could be avoided by having gpg decrypt the passphrase and pipe it to the encrypting gpg .. but then gpg would constantly be using the public key

It might be possible to have a C extension that holds the symmetric key, locks it into RAM, and feeds it to gpg whenever necessary, via a file descriptor.

--liw

I'm going to be switching from running gpg for symmetric encryption in the future, anyway. I'll be doing symmetric encryption in-process using python-crypt, and that means a lot of the sensitive data is going to be in Python strings anyway. Locking anything in memory doesn't seem feasible. done --liw