An interesting discussion came up on IRC so I figured I'd echo it here.
A solution less draconian to passing around sensitive data is to wrap it in a fun, this way logs and traces only see the fun, not the actual sensitive data. Therefore if we could wrap the key value in a fun immediately upon retrieval and pass it as a fun to ssl, which would only call the fun when necessary, we could hide the sensitive information entirely where it is only passed around or stored (not used). The fun could also just wrap location info and retrieve the key only when it's getting used, reducing the span where the actual value exists in the system.
What do you think, should ssl accept a fun for the key? Is there other sensitive options this might be useful for?
Idea originally from Dave Cottlehuber.