I'd imagine it would have to be... otherwise you'd need to enter the password to re-lock it.
Neither the password nor the password_derived_key is stored in memory. It is only used temporarily to decrypt the master_key. The encrypted version of the master_key is stored in the wallet and it is just a random number. When the wallet is "unlocked" it means the master_key (not password or password_derived_key) is in memory. The client uses the master_key to decrypt individual private keys but only as needed. So most of the time even when "unlocked" everything in the wallet is encrypted, it just means the master_key is in memory so individual elements can be decrypted.
Even if you recover the master_key it won't be the same master_key on any other wallet even if that wallet has the same passphrase. When a client decrypts an individual private key it deletes the decrypted version when it done using it (i.e. after signing a transaction).
When the wallet application closes or the unlock times out then the master_key is deleted from memory as well. PRNG -> random 256 bit number -> master_key
Wallet Password -> Key Derivation Function -> password_derived_key
master_key -> AES_Encrypt(w/ password_derived_key) -> encrypted_master_key
encrypted_master_key -> AES_Decrypt(w/ password_derived_key) -> master_key
For each of the bitcoin private keys in the wallet
private_key -> AES_Encrypt(w/ master_key) -> encrypted_private_key
encrypted_private_key-> AES_Decrypt(w/ master_key) -> private_keys
Stored in wallet.dat:
encrypted_private_key(s)
encrypted_master_key
In memory while wallet is unlocked (deleted when wallets locks or application terminates):
master_key
In memory only temporarily (deleted as soon as the task is completed):
password
password_derived_key
individual private_keys
This is a pretty common arrangement. It allows one to change the password without changing the master_key. If the master_key was changed it would require decrypted and re-encrypting every single private key.
I got some help on reddit and have been doing some testing and it's not looking good.
If someone on reddit told you that you can recovery from memory something which isn't there then it wasn't "help".
Didnt notice your reply before I quoted the one above yours (it was all the answer I needed to see to realize that resistance is futile!)
But after reading it, I now have a technical question.
You said that before the wallet is encrypted, the master key is just a random 32 bit number. After you encrypt it with a password, the password decrypts it, then is wiped.
I'm assuming that it's the same as the unencrypted private key... finding the original unencrypted master key wouldn't do any good, you'd still need to brute force it, correct? Which is no easier than just brute forcing the wallet.
Just curious at this point. What got us into bitcoin originaly (ok, me really) is the cryptography used. It's fascinating to me. You can't copy BTC or fake a transaction (well, easily, 51% and all that) or cheat the system. It's quite beautiful.