Random Access Memory (RAM) was recently shown to be vulnerable to physical attacks exposing the totality of memory, including user data and encryption keys. We present Cryptkeeper, a novel software-encrypted virtual memory manager that mitigates data exposure when used with a secure key-hiding mechanism. Cryptkeeper significantly reduces the amount of cleartext data in memory by dividing RAM into a smaller, cleartext working set and a larger, encrypted area. This extends the standard memory model and provides encrypted swap as a side effect. Despite a 9x slowdown in pathological cases, target applications such as Firefox are only 9% slower with our Linux-based prototype. We also identify several optimizations which can significantly improve performance. Cryptkeeper enables the expression of new security policies for memory, and demonstrates that modern personal computers can perform heavy-duty work on behalf of operating systems with surprisingly low overhead.