The problem with pervasive crypto...
...is recovering the data in the event of disaster.
Your server goes tits up, or $EVIL_EX_EMPLOYEE has changed the passwords on the server before going off to be a transgendered freedom fighter in Colombia.
You have backups of an encrypted RAID array, and not much else.
You restore the data. What's the passphrase/key? Well, Bill and George know it. Whoops, they were hit by the same flying elephant that knocked out your server, or have followed $EVIL_EX_EMPLOYEE to fight for justice in the jungle.
Hey, there's a copy on Joe's laptop. Whoops, got stolen. Been a bad week. And all our corporate accounts data is encrypted and it'll take longer than the age of the universe to brute force it.
There is, of course, an alternative - used by Microsoft in Windows 2000. You designate a Recovery Agent (typically the Domain Admins group) and they can decrypt anything encrypted IF THE RECOVERY AGENT WAS PUT IN PLACE BEFOREHAND. The process is tedious and convoluted, involving shuffling certificates around.
Joe Accounts Worker can't expect to encrypt his hard disk and then magically have the IT department decrypt it when he can't remember his password.
What makes Windows Encryption worse is that it's done against the security principal (the user) - they choose a directory or file and in the properties, choose to encrypt it.
The bad part of this is that the only thing you need to crack is the user's regular domain password. And we all know how well users choose their passwords.
Peter
Shill For Hire
[link|http://www.kuro5hin.org|There is no K5 Cabal]