Encrypted backups = good.

Encrypted data on disk = ???

I can see some scenarios to maintain keys/certificates, along the lines of giving critical personnel (I was going to say key personnel, but didn't want to run the risk of a pun) portable HDDs or perhaps a couple of email accounts that you could email the key/certificates after they are compressed & encrypted with PKZIP. Either would be an easy repository, and if that account is compromised or that HDD is stolen, it wouldn't be too difficult to revoke/change the keys and reinitialize your off-network DR key scheme.

Maybe make the password to the zip a two-part password where C-Level #1 enters the first ten characters, C-Level #2 enters the second ten. They keep their parts in a sealed envelope in a personal safe. The C-Levels don't have physical (or electronic) access to the key repository, the ones with the access don't have the key to unlock the repository.

You're always going to have trust issues as long as you have humans, it's unavoidable. And regardless of our thinking of ourselves as trustworthy, which no doubt many of us are, we only have to look at Certegy as proof that there will always be exceptions.

Of course you should change the keys to the system, perhaps as often as you change your system passwords, probably at least annually. But you absolutely must maintain those old keys in case you're under a court order to produce data from last year's backup.

If you want to have some real fun, check out this Microsoft paper on "Implementing Row- and Cell-Level Security in Classified Databases Using SQL Server 2005" at http://www.microsoft.com/technet/prodtechnol/sql/2005/multisec.mspx or this paper on encryption vs hashing at http://searchsqlserver.techtarget.com/tip/0,289483,sid87_gci1285699,00.html.

As for my employer? No plans for disk encryption, we're looking at encrypting all of our LAN traffic, though.