how to prevent a user using private key after leaving organization?

In the enterprise environment, each user was issue a key pair for using to encrypting/signing. Since they have the private key, that mean they can decrypt any file that encrypt for them, even after leaving organization and their certificate was revoked.

I want to as if is there any way to prevent they using their private to access files of organization (that was encrypted for all employees before they retired)?


Solution 1:

You can give employees usb tokens/smartcards.

You store the key on the card and it will never ever leave the token. When the someone leaves the organization you can get back the token as company property.

Solution 2:

Once a person can read a document, he or she can copy it. It's impossible to solve this problem (as MPAA and RIAA showed by blowing huge amounts of cash at the problem).

To control the information and limit what people can do with it you need to have a closed system:

  • no Internet access (network separated by air-gap)
  • no ability to copy data to USB drives or CDs, DVDs and floppies (all stations should use PS/2 peripherals with USB disabled)
  • mail only internal
  • network level authentication of machines before a user is even asked for a password/token
  • no wireless access

and all this just makes copying the data as hard as if it was only stored on paper (you still can photograph the screen with a phone)