What moron came up with the separate password policy?!
Look, you don't need to mail passwords to have data security. Establish a position in each department responsible for receiving data and create a PGP key for that position. Place each key on a keyserver (either public or privately maintained, doesn't matter), and sign each one with a master key owned by some controlling entity (government director of security or something) to establish trust among all of the keys that are to be used.
The policy is then simple: Whenever you ship data you encrypt it for a) all recipients, and b) always for the master controlling entity.
You are then free to ship the hard drive without any password information, since only the intended recipients with their private keys can actually read it. Additionally, should any recipient key be lost the master controlling entity can recover it since they are always a recipient.
PGP has been able to create and manage such a structure for years now. When I read about people mailing passwords it just cracks me up. How incompetent and clueless are the IT folk?
Biting the hand that feeds IT
