How would you manage keys with TrueCrypt in a business enviroment?

One suggestion could be to encrypt the volume with a encryption key only (no passphrase), but keep the key always encrypted on laptops/workstations with EFS (Windows only), so that in reality both the users password (optionally backup agent key) and the encryption key is used by Truecrypt.

This way, access to the encrypted devices will be "transparent" to the users, and you can manage passwords, EFS backup keys etc centrally without having to worry about lost keys etc


You should specify your OS, but why not keep all the keys backed up somewhere secure? Also, I would use a passphrase in combination with the key if you are not already, if the key is on something like a thumbdrive, chances are they might lose that with the laptop (ie, they are in the same bag), making the encryption pretty much useless in the first place.