Here is a concrete implementation : SecureString in .NET http://msdn.microsoft.com/en-us/library/system.security.secu...

It's using DAPI which derives the encryption key from the user password.

You could store the decryption key on the disk, only loading it when needed, and possibly byte-by-byte. This is all hackable, especially when such techniques are used mainstream, but it increases the amount of work needed to hack something. In the end it's the OS's responsibility of course.

What's the point of that? If you are going to do that, just store the original key that way.

Not that it helps in any way at all.

The .NET framework has a SecureString class which does this. It mitigates the risk of sensitive information being discovered through running 'strings' on memory dumps and the like. It's meant to prevent trivial recovery, not stop an attacker with sufficient time and skill.