Hmm... that just gave me an idea for dealing with some of the problems of encrypting private keys. Divide private keys into two pools, encrypted and cleartext. Allow users to move keys from one pool to the other by entering an amount, and attempting to approximate that amount with the coins owned by one or more private keys.
Think it could work?
edit... Fleshed out idea, cross posted from github/issues:
Suppose we encrypt keys with the public key of a separate private key. That private key is encrypted with a symmetric algorithm, whose key is derived from the passphrase. I believe this is how GnuPG works. When we store this encrypted key in the wallet, we also store a reference to the associated private key. (Or, perhaps have it elsewhere on the file system... usb drive? smart card? keyring?) With this functionality, we could prompt the user for a password once and decrypt multiple keys. It also means that a wallet could be separated into virtual partitions with different encryption keys. I think it would allow a smooth transition, but would it be backwards compatible?[1]
Here's the way I imagine interacting with this. I would keep a small amount of bitcoin in the clear. This allows me to easily spend the small amount while assuring I won't lose much if my device is compromised (good for mobile devices). I can easily encrypt/decrypt keys by entering a target amount to "transfer". The actual amount is determined by picking keys with transactions (outputs?) summing to approximately the target[2]. In order to spend more than is in the clear, I must enter one (or more) passphrases, but the rest is automated.
[1]Can the structure of the wallet be modified for encrypted keys and a reference to the encrypting private key without causing a breaking change?
[2]You can't split the output of a transaction without writing to the block chain, right?