One good practice involve storing the key encrypted under a symmetric authenticated cipher like AES-256-GCM, with a key derived using Argon2 or scrypt from a user-entered passphrase and random salt stored along the cryptogram. PBKDF2 used to be common instead of Argon2 or scrypt, but is no longer considered best practice.
Argon2 is the state of the art, scrypt might still be more commonly available. There is not one definitive best practice, in particular some prefer something standard over something maximally secure, some add pepper on top of salt. Update: and increasingly, two-factor authentication becomes best practice.
If you define something passphrase/password-based, I recommend Argon2id with carefully thought parameters: something that works comfortably on all target platforms, yet provides a serious obstacle to brute-force password search.
Is Argon2 a NIST standard or anything ?
Argon2 was the winner of the password hashing competition. That was not organized by NIST. Argon2 is not NIST-approved, but is cited by NIST here (along Balloon, that I also like; but it seems to have lost momentum after realization that it's claimed advantage over Argon2 is not clear-cut):
- Q-B17: SP 800-63B Section 5.1.1.2, Memorized Secret Verifiers, says that a memory-hard password derivation SHOULD be used. PBKDF2, which is extensively used, is not memory-hard. What are examples of memory-hard functions that meet this requirement?
- A-B17: The text recommends, but does not require, the use of a memory-hard function for password derivation.
NIST considers the security of the hash (one-way) function used in key derivation to be of primary importance, and therefore requires the use of an approved (thoroughly vetted) one-way function in key derivation. BALLOON is a memory-hard and time-hard algorithm that allows the use of an approved underlying one-way function, but unfortunately it has not been widely deployed. Other algorithms such as ARGON2 are memory- and time-hard, but do not use an underlying one-way function that has been thoroughly analyzed.
While PBKDF2 is time-hard but not memory-hard, it is so widely deployed that it is not practical (at this time, anyway) to introduce a requirement for a memory-hard key derivation function, so we have presented this as a recommendation (i.e. “SHOULD”).
The key derivation function is considered less critical than the one-way function that underlies it, so the specification is less prescriptive in this area and does not specify particular algorithms for key derivation.
NIST thus does not yet disavows it's former official recommendation of PBKDF2-HMAC-SHA-1. That's even though it offers little protection in an era where well-funded attackers can use ASICs, or at least FPGAs or GPUs, for password search. It's not clear that this technically untenable position is malicious; that's contrary to NIST's former position about Dual_EC_DRBG, which was clearly intended to promote crypto US intelligence could break.
