DPAPI is great for protecting sensitive information! Unfortunately, the DPAPI "optional entropy" is basically another piece of sensitive information that must be protected. Ironic.
What are some possible (sneaky) sources of "entropy" I could use that would be difficult to guess? Or alternatively, how could I protect the entropy? Steganography maybe?
FYI: I am not completely relying on the entropy itself. I will have other obstacles and layers of encryption. I just want to put up another obstacle.
Additional FYI: This is just a personal project that I am protecting out of paranoia as well as curiosity.
You can use RMS (Windows Rights Management Services) which is what DRM security schemes use for very similar purposes (they keep the key, which is entropy in your case, hidden from the user but on user's account and computer). RMS again relies on DPAPI but through a system that Microsoft calls lockbox.