Regarding encryption, I’m gonna write up a security-doc that goes into more detail, but in a nutshell yes, keys are encrypted using your password (see also here in the build instructions). Your password is salted and hashed and turned into a 256bit key. The ESP32 has a hardware AES module on board, and encrypts your crypto keys with AES-256 CFB128 before storing them. The password itself is not stored on the device. Currently you’d need to send the pw via RPC command to unlock the wallet, in the future you’ll be able to input it on the device directly (display- and GUI-integrations are planned for 0.2.x).

After setting a pw, you can either add your existing keys, or generate new ones on-device (ESP32 comes with hardware TRNG capabilities). In the latter case, they’re returned to you once in the RPC response so you can back them up, in the future you’ll be able to show them on the display instead.