I believe the guidance is to store the key export and the password in different locations and to store both on site and off site.

How about storing the export in VARBINARY(MAX) in TDE encrypted database that has only DBA access? and then store the password in an an encrypted column, perhaps on a another SQL Instance. This would be relatively easy to automate.

This is how I had planned to implement key backup automation in SQLClue. The TDE database is easy to implement (in fact I saw an email from Connect telling me some bothersome 'nuances' of TDE are fixed in 10.5)

Finally, since many shops run two+ data centers, they could peer to peer replicate between data centers on an SSL or Server self-Certificate encrypted wire. But even without the replication, the backups of the TDE database and the encrypted column could go off site in the normal tape rotation to satisfy the requirement.

A little work to set up - not bad - but should be painless once running.