I had recently have to implement a solution where RSA keys used to sign WCF messages where stored externally (not in Windows Certificate Store). Keys stored externally were not supposed to be extracted or exportable by any means from the security database...