OMG, so confusing! Just in case I can help, I'll give you the system i used until I got a trezor. I use 7zip and keepass2.
1. First time I open my wallet, I encrypt it, so there never is a time when the wallet.dat exists without encryption.
2. I store the encryption password on my already set up keepass2 (in fact, have keepass2 create the password for you!) Make sure you
save after making the entry in keepass2.
3. Now make a folder, give it a name (I put in the date) and insert your keepass.kdbp (the database) and your wallet.dat file in it.
4. Next use 7 zip to zip up the folder with encryption. giving it a password you know well and will remember. Perhaps the same one you use for keepass.
Now you have a double encrypted (actually that means the weakest link is all that is needed, but you gotta weigh security vs danger of losing it all) Don't keep your .key file with the database file in keepass, because it should be kept separate to act as a 2fa Back all this up on at least a few jump drives in case one or two break
If you get a trezor, the "weak link" but most important thing you MUST keep from losing is the 24 word code you get when you first start it. You can retrieve the account, using a deterministic wallet or another trezor if something happens to your trezor!
There are many ways to skin a cat, but here is one that will work here and now
Finally, you can delete the wallet.dat in the dashcore folder, and empty the trash.