As an interest, I'm planning to write a password management script using python.
My rough idea is to store the pairs of account name and password in an SQlite database file which is encrypted by GPG.
Here comes the question: how can I safely provide SQlite library with the temporary decrypted database file? Since placing the raw file in a hidden path doesn't guarantee the security. Or should I keep the decrypted data in memory? And how?
I know there's a third-party framework for the encryption of SQlite database. But I'm fairly curious about how it works actually, because it seems inevitable to tackle with the intermediate data in such frameworks.
Yes, keeping the database in memory seems to be a viable solution. What makes this a bit difficult is that SQLite can easily create a database in memory (using :memory: instead of filename) but making it load already existing in-memory database is a bit of a pain: you'll have to implement your own sqlite_vfs. I've seen one implementation but it's pretty old, I'm not sure that it still works. Also, using it from Python will require extra effort.
Still, keeping the whole decrypted database always in memory is not very secure, since your memory may occasionally get paged to disk. So, remember to mlock it.
A simpler solution is having an ordinary database, but encrypting all the data before storing in it. This way, you'll have to keep in memory only the password and small little chunks of decrypted data.