i forget where i saw it implemented... maybe i even wrote an RPC recently that lets you do that unlock remotely so it never touches the disk...

oh, no, it was my former sponsor... let me see...

https://github.com/indra-labs/indra/tree/089a0df491fd76ac393875053625f9fd4fdbe140/pkg/storage

uses protobuf - you will see the proto and the generated pb.go code in there, that is an unlocker that stays off-disk

a second best option is using an environment variable, you can protect that behind root privileges