the codebase had this comment:

    // pretend to encrypt key, then store it unencrypted
    skbytes, err := sk.Bytes()
    if err != nil {
        return err
    }
    cfg.Identity.PrivKey = base64.StdEncoding.EncodeToString(skbytes)

Right now we're cutting a lot of corners and doing things not securely yet. But it's important to flag them as such for people who might be just browsing the codebase. If I saw that on a random codebase i'd be alarmed, even knowing the code is changing.