Hi,

CryptProtectData and its companion API, are good as they encrypt and store the encrypted data on a local machine, but it comes with few cons, the ability to decrypt from within the system, by either an application running with same user, or any an application running on any user, all you need is to extract the entropy from the application.
USB and TPM also not that viable for portability.
Better the above is using the LDAP, but again this has its own cons.

I solved this in two ways over the years and hope you finds them useful:

1) My data bank server will load (grab) the key from another different location over the wire (internet or local network), the connection is secure, also that server is a windows service, that detect any login for Windows user and delete the key from the memory, meaning stop the server operation until no more user are logged on the system, then grab the key again, in fact i use it a little differently, the server on detecting a connection it does encrypt all the high value and critical data in memory to make sure, then proceed to march them to the controller, if failed to march them then it will dump them encrypted on the disk with a already supplied key from the controller and will not be able to decrypt them without an admin interaction on the controller side.

2) For easier deploy also when many instances will be used, I use WinLicense https://www.oreans.com/WinLicense.php https://www.oreans.com/help/wl/
It has its own highly protected storage that support custom data in the licensing key https://www.oreans.com/help/wl/hm_cu...-in-licens.htm
It also can lock the license key to a hardware and this will make things way easier by deploying and then apply licenses that have hidden encryption keys.