Keyczar can itself wrap keyczar keys which is working perfectly fine.
This does lend itself to the "Turtles all the way down" problem with a decryption key sitting on the same machine as the encrypted data it's protecting.
There's HSMs which might be overkill for my particular application based on cost and administrative overhead.
AWS and potentially other cloud hosting providers have services such as KMS.
Has anyone explored wrapping keyczar keys in KMS or similar? I would guess this is highly specific, non-generic code to the KMS service, but given the popularity of the AWS product line, might be a nice addition to the security profile of many organizations.