It does seem bizarre to me that you're expected to provide their security. From a legal point of view or a security point of view, they will have to validate whatever system you provide. If they don't, then for all they know you're just ROT13ing the data. They really ought to have a disinterested third party to set this up.

Anyhoo, business and suits being what they are I imagine that common sense and good practices come second to MUNNY so you're going to have to provide them with an answer anyway. Platform differences are going to be an issue, but the truth is that any "encryption" you write yourself in the script just isn't going to cut the mustard, especially if some data is leaked and there's any suspicion of your organisation. I regret that you *are* going to have to get them to install at least one module. I recommend Crypt::Blowfish_PP which is a Pure Perl (i.e. no native libraries requred) implementation of the Blowfish algorithm, which provides symmetric encryption. It should run on any OS. I haven't used it myself so I can't speak for it's quality, but if it's a faithful implementation of Blowfish you're off to a good start. With a little hacking you might actually be able to copy the code into your script to avoid the installation issues.

You have one advantage here in that symmetric encryption is adequate. It doesn't matter that the source knows your key, as long as they have a clue about security and don't let it out (actually, judging by the way they're running their security I'm not so sure that's the case).

And may I please just scare you out of basing the encryption keys on the organisations' names. Please just don't. It makes my ears bleed :-)

Update: Thanks to xtype for a much-needed LART after I linked to DBIx-Tree there. Heck knows how I did that. I wasn't even looking at that module! Is the monastery haunted?