In case it gives you ideas for improving your security, I'll make some general comments on key management, based on my limited experience in this domain. Ideas, corrections, and feedback welcome.

Companies with high security needs and big budgets tend to employ Key Management Servers (KMS) and/or Hardware Security Modules (HSMs) to protect their keys. I have some experience with writing (C++) client code that uses a KMS. I have no first-hand experience with HSMs.

The overall strategy is to setup a dedicated and separate physical machine - a Key Management Server - to manage and protect all keys in your system. The KMS is configured to talk to trusted clients only. KMS's can be expensive - and physically isolated if required. Clients of the KMS must supply a set of credentials (e.g. a certificate issued by the KMS vendor).

• All keys are stored in the KMS.
• Keys are never stored in client code; they are always fetched from the KMS.
• Each key has a name and an identifier (id).
• Client code gets by id when decrypting; gets by name when encrypting. Doing that enables you to rotate the keys on the KMS at any time, and as often as you wish, without affecting client code. Getting by name gets the latest key; getting by id gets the original key (for decryption), even after a key has been rotated on the KMS.
• Keys are rotated regularly on the KMS - immediately if a key is known to be compromised.

References

• KMIP (Key Management Interoperability Protocol)
• Key Management Cheat Sheet (owasp)
• Hardware Security Module