alas, real security is a pain in the rump.

One possible solution is to store the keylist history in an encrypted file, with that key only available to the few (never ONE) adminstrative individuals necessary.

The encrypted key list should be kept both on and offsite

I would not recommend a shared (partial) key system, in a disaster situation all the principals may not be available.