Thanks for your support of Codebook and posting to the discussion forum. Sorry for the delay in response.
Codebook does not decrypt the entire database en masse, it decrypts only as needed. However, there is caching in place, so depending on the size of your database and how you access it, the whole database may be in memory at any given point in time. The details are available in this page about how SQLCipher (Codebook’s backend) works:
That said, as a general comment, it’s virtually impossible to secure a program in a situation where rogue administrative software can read an application’s running process memory. For example, even systems like TrueCrypt and other full disk encryption systems are susceptible to attack with elevated access.
However, this is balanced by the fact that it is generally very difficult to gain the administrative level of access required to dump memory (i.e. normal applications can’t do it). It is not trivial to access the running memory of other processes.
As a practical example, consider an application keeps only a partial subset of the data “in memory”. It must also have an encryption key in memory to decrypt the rest of the data when needed. Any sufficiently sophisticated malware running with administrative privileges and direct memory access could just skip trying to get the data from memory, and instead grab the encryption key and the file.
Please let me know if this answers your question and if there’s anything else I can do to assist.