Because you want to maximize convenience and aren't greatly concerned about security, you should ensure your system is robust first. Then it is pretty easy to apply enough security to keep honest people honest -- by splitting the secret into two parts kept in separate locations. Movable Type's is the most honest, where the two parts are in easily read files. "hiding database passwords" had some similar sentiments (I actually like the very last idea, about storing it on a removable token that is used for boot.) The "Balancing two conflicting passwords" approach was to have the separation virtual, where the password is encrypted against a token associated with the script. None of these will protect against malice without additional controls, but that isn't the point here if the extracts are correct.

If malice or non-repudiation is an issue, there are other things. Physical token plus operational controls can work, and there are technical controls with password servers and the like, but they are overkill for the kind of problem you describe, impo. (I play an IT Security Architect on TV.)

--woody