Your solution of encrypting the credentials and storing the key in Windows Environment Variables can work, but it has some limitations in terms of flexibility and scalability. Given your client's need for security and configurability, a tool like HashiCorp Vault might be a better fit.