I'm working on a library to make quick access to KeepassX database files easier for power users. Right now the application is so short-lived in memory that security around the unencrypted KeePass database is not a huge concern.
However, I'd like to add the ability to hold the database unlocked for a period of time in the background, similar to the way the KeepassX GUI does. This would allow immediate query of passwords without being prompted for the master password. This means there would be sort of daemon process that holds the database in memory and communicates with a client.
It seems that the security implications of this are similar to that of ssh-agent
, and I'm wondering if anyone 'round these parts is familiar with how that project approaches the long-term secure storage of sensitive data (namely, unlocked SSH private keys).