One possibility is to allow (require via policy?) users to encrypt
data to a
single central escrow key (that you store offline) in addition to
any other
keys they use. Then if recovery is required, the escrow key can be
used to
decrypt the data.
This sounds quite a bit like the Additional Decryption Key (ADK)
feature of PGP. It's worth noting that (a) PGP's ADK feature is not
quite what people want to believe it is, and (b) is covered by a
software patent held by PGP Corporation. If someone's interested in
pursuing this route, it would be a good idea to speak to a good patent
lawyer.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
