I need to store sensitive information (a symmetric encryption key that I want to keep private) in my C++ application. The simple approach is to do this:
std::string myKey = "mysupersupersecretpasswordthatyouwillneverguess";
Basically, anyone with access to your program and a debugger can and will find the key in the application if they want to.
But, if you just want to make sure the key doesn't show up when running
strings on your binary, you could for instance make sure that the key is not within the printable range.
Obscuring key with XOR
For instance, you could use XOR to split the key into two byte arrays:
key = key1 XOR key2
If you create key1 with the same byte-length as
key you can use (completely) random byte values and then compute
key1[n] = crypto_grade_random_number(0..255) key2[n] = key[n] XOR key1[n]
You can do this in your build environment, and then only store
key2 in your application.
Protecting your binary
Another approach is to use a tool to protect your binary. For instance, there are several security tools that can make sure your binary is obfuscated and starts a virtual machine that it runs on. This makes it hard(er) to debug, and is also the convential way many commercial grade secure applications (also, alas, malware) is protected.
One of the premier tools is Themida, which does an awesome job of protecting your binaries. It is often used by well known programs, such as Spotify, to protect against reverse engineering. It has features to prevent debugging in programs such as OllyDbg and Ida Pro.
There is also a larger list, maybe somewhat outdated, of tools to protect your binary.
Some of them are free.
Someone here discussed hashing password+salt.
If you need to store the key to match it against some kind of user submitted password, you should use a one-way hashing function, preferrably by combining username, password and a salt. The problem with this, though, is that your application has to know the salt to be able to do the one-way and compare the resulting hashes. So therefore you still need to store the salt somewhere in your application. But, as @Edward points out in the comments below, this will effectively protect against a dictionary attack using, e.g, rainbow tables.
Finally, you can use a combination of all the techniques above.