Your comments

As I know, most used case is lock by time-out.
Time-out is long enough to track active user. It means cache hit reset counter again.
One more time-out case if global user inactivity: no mouse movement, no keyboard events.
Also possible:
* Emergency lock (by hot-key);
* Desktop/Hibernate/etc lock. Win+L locks Desktop, but also flush data and sync DB. This case is not simple because some crypto-tools can force encrypted volumes unmount the same time. But some workarounds are possible to prevent data loss. At least you can try to keep encrypted DB in memory until storage appears again.
 * Lock on CN minimize, etc
Check the KeePass - Tools - Options - Security to see different options.

May be you do not need them all now. At least the "delayed DB open" feature can be implemented w/o all above. ;)
Hello Alex, lets see what happens on clipping hot-key:
CN tries to open DB.
If DB not available or encrypted - show DB open/selection dialog inside disabled note edit dialog. Like the web-sites do when they need auth before post message: keep message faded on background and show auth form on top.
If DB not encrypted and available - just open it and add note.
Guys, thank you for the proposal, but I prefer minimal set of tools on the PC and GUI instead of old console way. ;) So, I mount my volumes manually when they required.
You can see the behavior I described in KeePass tool (popular password storage tool). It starts minimized to tray and shows login screen only on first use and then open DB file. I think it is good way: acquire resources only when they are required and free asap.
BTW, if you plan to implement whole-DB/per-record encryption you will need to implement similar behavior anyway. Records must not stay decrypted in memory all the time.