Hardening encryption key storage - Automigraete?

[drweb86]

Windows DPAPI (ProtectedData class) — best bang for buck in C#
csharp// Encrypt (only the current user/machine can decrypt)
byte[] encrypted = ProtectedData.Protect(
Encoding.UTF8.GetBytes(plainTextSecret),
null,
DataProtectionScope.LocalMachine // or CurrentUser
);

// Decrypt
string secret = Encoding.UTF8.GetString(
ProtectedData.Unprotect(encrypted, null, DataProtectionScope.LocalMachine)
);

Threat | Plain text config | Hardened credentials -- | -- | -- Curious user opens config file | ✅ Exposed | ✅ Protected Malware doing a targeted file scan | ✅ Exposed | ✅ Protected Attacker with brief filesystem access | ✅ Exposed | ✅ Protected Attacker who fully compromises the machine | ✅ Exposed | ✅ Also exposed Attacker who reverse-engineers your app | ✅ Exposed | ✅ Also exposed