Backing up and encryption with GPG 4776

I agree, but let's say I am administering several users. Can I count on these users to do or remember to do encryption of their sensitive files. Maybe maybe not. But if someone wants the sensitive data it would be easier (at least less time consuming if successful) to break in and walk off with the external HD. If its a USB HD one just needs to mount it and copy. Isn't the whole point of public key encryption to address this kind of security weakness?

I guess this point goes to USB memory sticks as well -- anyone ever forget their USB stick in an internet cafe because you were rushing off to catch a flight? Ever have information on their you'd rather others in the airport not see.

For now I am thinking the best option will be to run a backup that uses the users public key to encrypt their home directory if they are a member of root's key ring. If they are not members of that "web of trust" then root uses symmetric encryption using his public key. The first option protects sensitive files from being seen by root as well as anyone else except the user and makes it very unlikely that if one user's backup is happened to be compromised that others backups on the same external HD would be.

The second option allows for any other sys-admins in the "wheel" group who can become root to unencrypt other users accounts. Thus those who should be hiding their sensitive information just need to create a key set and join roots key ring. They never have to worry (remember) to encrypt because root's backup script will do the encryption for them using their public key and those that don't have such sensitive files will still be pretty safe since only root can access their backups.

This of course does not work so well for memory sticks since one would often go between OS's with memory stick and not have GPG not to mention their required key information with them.

BTW, Is their GPG for Windows, MAC?? :)