Hello,

As a learning exercise, which I hope will extend into something more
useful, I'm going to write a simple password management RESTful API. I will
further extend on this by writing various clients, including an Android
application, so that I can learn some basic Android development skills. You
know, because it's fun :-)

I also want to be able to have my own "Cloud" based password manager, but
obviously I want to ensure I am handling the raw passwords correctly. From
the persecptive of generating random strings, I don't think I will have any
issues, but it's the handling of the data, like keeping it in RAM, ensuring
plain text versions aren't leaking or present in RAM, etc. Here is a list
of the overarching objectives, for context:

- The remote API code will generate new passwords, storing them in a
SQLite DB;
- The SQLite DB stored passwords will be encrypted, probably using AES;
- Passwords are always generated remotely;
- A master password is used as the secret to the AES crypto;
- A strong HTTPS/TLS certificate will be used for over-the-wire
transport between server and client;
- The SQLite DB, and all related files, will be supported by an
encrypted file system for added protection;

It's a set of simple goals, really. Here are my concerns:

- How do I keep the plain texts as protected as possible? Does Go have a
"protected memory" operation mode, or is this something the underlaying OS
provides? I'm told the Linux kernel can be employed to hold secret keys for
you, helping to protect them from attack?
- How do I go about encrypting the entire SQLite DB? Should I even
bother? Is the non-sensitive metadata worth protecting to that degree?
- Is AES the right algo to use? Obviously I want to use an existing algo;

I know some readers may see this as yet-another-pm, but it's a pet project
that I will enjoy, so please, bare with me on this one!

All help appreciated.

- Mike