My recent cybersecurity refresher training was pimping encryption and claiming only company issued PKI was acceptable. I smell a back door in that policy. If it’s sensitive enough to need encryption, you’ll have to get the key and the algorithm from me. No corporate back door.
No back door is required, though there is probably one there that the company doesn't even know about courtesy of the NSA. What they most likely do, is include a corporate public key along with any other key it is encrypted with. It's easy to do, and can be transparent to the user.
The U.S. government is the driving force behind the woeful state of the security of the internet. Without the Feral government leaning on companies, we'd have end-to-end encryption installed almost universally now. It's not difficult to do, and given the horsepower of computers these days, it's almost criminal not to use it everywhere IMO.
I've been trying to get people to use PGP for years, and years. Since I use thunderbird as an email client, it's trivial to use. However, in order to use encryption, the other side has to be able to use it as well.
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.15 (GNU/Linux) jA0EAwMCpSjdGqWizjZgyUYXkYT45LVswm+0PcKLjI2hVDUIDd3BFsDfxDV1K+/Y go9VlLB7J63Jm+bAeSL0K+wL77o/IrPFl1OPZ7BHG9BE2jx0hH2Q =Avp6 -----END PGP MESSAGE-----
Decrypt this, NSA.