>> Why is it significantly easier to protect the key[s]
>> used for the encryption than the storage itself?
> one could always passphrase-protect the key, i.e. use symmetric encryption.
> admittedly, this could potentially be brute-forced, but ... should be
> good enough for most purposes?
And how does your Application (Zope) access the storage?
Exactly. It needs the key - if it has the key - the "attacker"
can just read the data thru the application.
In the end this does not buy you anything but overhead.
If you want to encrypt, just use a crypted filesystem as
DM already suggested. Best performance, best transparency
and well tested.
For more information about ZODB, see the ZODB Wiki:
ZODB-Dev mailing list - ZODB-Dev@zope.org