But still you need to have whatever you use as input into KDF accessible. Encrypting passwords that you still need to be able to send somewhere without additional user interaction simply does not have any security benefit. Full-device encryption does work, building separate encrypted credential store is mostly useless security by obscurity.
You can have an encrypted keystore which is opened by entering a password and using that derived key to decrypt the keystore. Firefox uses this with their "master password". You can cache the decrypted key according to some policy which doesn't necessarily result in it getting written to disk.
