In such mode encryption key wouldn't be present anywhere on disk or secure chip, but would only be present in RAM.

User every time when opening the app would be prompted to provide the password to decrypt the encryption key which would then be stored in RAM (only when app runs).

This would mimic behavior of LUKS vault.

Would require also implementing Rclone encrypted config: https://s3drive.canny.io/feature-requests/p/rclone-encrypted-config

Initial discussion: