There’s no additional security risk if the IV and salt are known. IV’s are safe to store in the clear, and salts are to help prevent precomputation and rainbow tables.

So you’re really just talking about the key. There’s a couple solutions, each with it’s own tradeoffs. In your question, you only mention you need to encrypt data on the client. Does the client not need to decrypt?

• If this is a Windows client, you can use the Data Protection API to protect the key under the users credentials.

• Protect the key with a passphrase. If you don’t mind entering a passphrase each time the client needs the key, this can offer reasonable protection, and it’s supported in most cryptosystems like OpenPGP.

• If the client only needs to encrypt, you can use a hybrid approach with public keys (like OpenPGP). In this case, you only store the public key on the client, and the private key somewhere safe. When you encrypt data, you’ll generate a random symmetric key, and encrypt that under the client’s public key. Now if someone compromises the machine, they won’t be able to decrypt any of the session keys.

• Use specialized hardware like a hardware security module or smart card. This is the most expensive route, but depending on your threat model might be viable.