From Safely Preserving Additional Entropy Using DPAPI
Everything that you store locally can be compromised. But there are steps you can take to complicate the situation. There is a document on Password Processing that you can consider. You consider your Entropy key key for your application.
I will refer to your Entropy as your Key, as this is a functionally additional key.
What you do not want to do is save your key locally in an unencrypted format. Instead, you want to either encrypt your key or get it from another, obvious source. Of course, if you encrypt the key, then you need to save the key used to encrypt it, but often this single level of indirection is enough to discourage most opponents.
That would be an advantage in getting your key. You could get it as a hash of some other piece of persistent data (this should be something that doesn't change with your application changes). One trick when deriving a hash is to combine the hash with some other constant value (like a GUID or a large random number) so that someone else cannot just combine the known hash algorithm and get your key. This is a much better alternative to creating your own hashing algorithm (which you should never do if you don't have PHD in math).
At some point, you will need some kind of key, hard-coded in your application. This key is either combined with some other data in the hash to create your Entropy Key, or used to decrypt the entropy key. In fact, you may have a key change with the new version of your application if you store the old key to decrypt the existing key. You can then re-encrypt it with a new key or method.
If you need better security, you can save the Entropy key from your computer. This will require an Internet connection and an SSL certificate, but after that the key is never saved in local mode. To do this, you can configure a more reliable system for responding to a request so that the authentication of the request is different each time, and the key is delivered via SSL encryption, so it cannot be intercepted. Once the key is used, it is discarded. Of course, this view hits the target of many scenarios in which you use DPAPI for local secure storage.
No matter what you do, keep in mind that this will be compromised - this always happens when someone has full access to the local computer and the data stored on it. The solution is to continue to release updates that change the method enough so that the old crack no longer works. This will make the crack distribution less valuable, as it will be difficult to find it for the correct version.