During my daily commute, I reprocessed my initial requirements and I realized I didn't consider a primary feature. My application will work as a temporary credential store. Exchange with the third-party application is expensive (time) and may not be functional at all times. My intention is to store encrypted credentials for as long as needed (considering low cost sync time and availability) but that could be more than just a few. I have no control on how the third party will take the credentials so I will have to be able to decrypt them. Again, security is something I will take on but the same question remains. Considering I have 20 non-synchronized (encrypted) credentials, Using a on-startup-keyphrase may not be an ideal approach as a keyphrase recovery will invalidate the non-synchronized credentials. Using an external key management solution (whichever approach) can be considered. My target audience might expect some flexibility in how keyphrases are managed so I'll have to look at different approaches.

Thanks for the feedback!!