How can I protect the entropy?

Question

DPAPI is great for protecting sensitive information! Unfortunately, the DPAPI "optional entropy" is basically another piece of sensitive information that must be protected. Ironic.

What are some possible (sneaky) sources of "entropy" I could use that would be difficult to guess? Or alternatively, how could I protect the entropy? Steganography maybe?

FYI: I am not completely relying on the entropy itself. I will have other obstacles and layers of encryption. I just want to put up another obstacle.

Additional FYI: This is just a personal project that I am protecting out of paranoia as well as curiosity.

Answer 1

The entropy used for DPAPI doesn't need to be necessarily sensitive information. It can be a simple salt used to protect against dictionary/rainbow table kind of attacks, alternatively it can be a user entered password if you want extra protection. The DPAPI ensures security through the user credentials, which are used as the key to encrypt the actual keys used. So the entropy could just as well be some random string that is hardcoded into your application. As long as the user credentials are well protected, your data is not at risk.

Answer 2

You can use RMS (Windows Rights Management Services) which is what DRM security schemes use for very similar purposes (they keep the key, which is entropy in your case, hidden from the user but on user's account and computer). RMS again relies on DPAPI but through a system that Microsoft calls lockbox.