Although it is controversial, look into key escrow.
One possibility is to allow (require via policy?) users to encrypt data to a
single central escrow key (that you store offline) in addition to any other
keys they use. Then if recovery is required, the escrow key can be used to
decrypt the data.
Yup - you got it.
Symmetric encryption is *way* faster (that's a technical term :-) than
asymmetric.
Hence the slower version is used to exchange a random key that is then used
to handle the encryption/decryption of the data.
Algorithms are implementation dependent but it is common to use 3DES for
What you are doing works. But take a look at password safe (Bruce Schneier &
Counterpane labs). Also Password Gorilla (compatible w/ password safe)
If you are truly paranoid, you could encrypt and email the safe back and
forth w/ gpg, or carry it on a USB stick.
> -Original Message-
> F
