The basic ideas here look good to me; I will look at details later. Meanwhile I wonder what others might think, so I've added some to cc list. One thing disturbs me, wanting to give more control to "the user who should be free to choose their own security/performance tradeoff" I doubt most users, or even sys admins, know enough to make such choices. Yes, some options like the /dev/random vs /dev/urandom choice can be given, but I'm not convinced even that is necessary. Our objective should be to make the thing foolproof, incapable of being messed up by user actions.
