Introduce mlock for ephemeral secret keys #3
Description
This prevents a situation where the ephemeral private keys are written to the swapfile.
This requires an additional syscall in the existing seccomp filter and also needs --cap-add=IPC_LOCK for docker. In the later case it might make sense to make this feature opt-out-able.