Do credential stores have added value for API key protection on unsupervised system? If so, how?
I have recently been thinking deeply about the most secure ways to store credentials (like API keys) for use by unsupervised programs running on unsupervised servers. I have such systems and would like to absolutely minimize the impact/cost of any breach of them. In this context I want to make it as hard as possible to compromise any credential after an attacker gains access to the program's account. The only given is that the hard drives of the systems are encrypted and that no hardware-based authentication mechanism (not requiring the storage of any credential in any form on disk) is available. My question is whether credential stores add a meaningful layer of security over storing the credentials in plain files or environment variables only accessible by the service account.
I already found relevant questions on this site like How to securely store API keys and Storing API keys & secrets on servers. They confirm my suspicion that it seems (practically) impossible to avoid credential compromise upon account compromise. But they do not answer my core question.
The credential stores I am asking about are systems like Windows Credential Manager, macOS Keychain and GNOME Keyring. Do these systems actually provide any additional protection when accounts are compromised? If we take the example of Windows Credential Manager: while the credentials are stored in an encrypted form, any program running under a given account seems to just be able to read any password stored inside of this store if I understand correctly (please correct me if I am wrong!). Comparing now to a credential stored in a random file accessible by the same account, there does not seem to be any benefit, as an attacker with access to the account could use a trivial program to extract credentials in plaintext from the credential store. Questions like Where to store secrets in .NET applications that have been posted here give no contraindication of this. It seems to me like these stores can best be compared to password managers like KeePass, trading in some security for some convenience.
If these credential managers don't put up any extra barriers when service accounts are compromised, what are they actually for? And if they do, how do they do it?
Thanks in advance for your insights!
