I'm thinking of securing this key using EFS. Logon as the service account. Encrypt the key and then logoff. This way no one can copy off the key as it's encrypted. They could back it up but when they restore it they will not have the encryption key so will not be able to unencrypt it. In an emergency the key can be restored using the kyescrow account.
Has anyone tried this?
https://clan8blog.wordpress.com/