I have an application where, ideally, users will sign in using AD. I also need to store an encryption key for each user which should be encrypted before it's stored.
Is there any mechanism which AD, kerberos or any of the social SSOs provide which could give me a secret based on my authentication/authorization which I could use to encrypt a key?
Alternatively any API similar to DPAPI but which would work reliably across devices?
Finally, would it be considered bad practice to store an encryption key, unencrypted in AD? It looks to me like bitlocker is effectively doing this.
Best I can find so far is to use something like Hashicorp Vault which allows keys to be stored against AD users and encrypts based, ultimately, on a memory resident key.