In my thoughts of keeping data save… I had the next idea…
What is actually the idea… we split the key (passphrase) into 3 parts:
- Passphrase in the brain of the user
- Passphrase on a USB-stick (random generated data)
- Passphrase on a HTTPS-server which requires a certificate on the client to allow access to the part of the key (random generated data)
The benefits are:
- They need to torture you to get the passphrase part out of your brain
- They need the fysical USB-Stick… (you can hide it in i.e. a vault)
- You can track the opening of the crypto container by monitoring the HTTPS-server
- you can block the opening of the crypto-container by removing the passphrase on the HTTPS-server
- You can block the opening of the crypto-container by deny access to the client-SSL-cert
So there are a lot of benefits… but there are also a few disadvantages:
- Losing one of the parts of the passphrase… the crypto container will stay close
- You need to be online (on the Internet) for opening the crypto-container, because of the HTTPS-passphrase
But on the other hand… it is a really heavy security solution…
It is not operational yet… but… if I have the proof-of-concept ready… you will read it here… 
