Safe ways to retain an encryption key in a local service memory after a reboot?

Question

I'm writing a Windows service that receives an encryption key from our web server. Such key never leaves memory and is used to encrypt and decrypt sensitive data. This works well, except for the situation when the system is rebooted. In that case, the network is not yet available (it needs to be authenticated first) thus my service cannot connect to the server yet, but it still needs to obtain the encryption key.

Thus I was wondering if there is a way to safely retain the encryption key in memory after the system is rebooted (without saving it to disk in plaintext, which will expose it)?

Answer 1

How about using NCryptRegisterProtectionDescriptorName / NCryptCreateProtectionDescriptor along with NCryptProtectSecret/NCryptUnprotectSecret?

This is very similar to Remy Lebeau 's suggestion, only using already-existing windows API services. It won't be "in memory" (as memory is lost between boots) but does provide a should-be-secure means of storing such data.