[plonk]

Doesn’t Windows already have a data store that’s encrypted with a key that doesn’t exist in RAM unless you’re logged on? And some kind of isolation of sensitive processes in a VM?

Malware can probably read most of the user’s data in RAM, but if OS components keep getting more isolated from each other, maybe that can be secure enough.

[rzzzt]

The Data Protection API makes this quite easy from a programming standpoint (it also makes relocating keys to another machine hard, but in this case this should count as another upside): https://en.wikipedia.org/wiki/Data_Protection_API