I need to generate and store a sensitive file (assume that it is not a traditional PKCS format) private key and keep it accessible to the running service.
Normally, when running as a service account (AD User), I would store the file under the user's profile, and then let standard Windows security handle this.
Outside of the CryptoAPI, where in the file system should I store this private key?
Using DPAPI, you can either use current user credentials or either the LocalMachine 'creds'.
LocalMachine will make all users on the computer able to Unprotect the data (still a solution though... if you trust every user on this computer).
Or, you can use impersonation to get the current user & do your stuff.