Arguing implementation details is fruitless without knowing the particular requirements in great detail. However, I don't believe I "suggested encryption may not be appropriate." I only meant that the 128-bit SSL provided by the web server might be enough, as long as the data were not too sensitive, and if some other factor didn't mandate that the transmission from the web server over email was necessary .

I agree that "automatically decrypting and storing the data" would be useful in overcoming difficulty with personnel training. But I think that this adds complexity, and could only be justified if the sensitivity of the application were such that 128bit SSL was inadequate to protect the data.

As to 2048bit keys and ten years of protection, I'd be wary of that. The number suggests you are referring to public key cryptography. Such systems are probably vulnerable to breakthroughs in quantum cryptography. Whether such a breakthrough is likely to occur in the next ten years is debatable, but a symmetric system is more likely to have a good shelf life nowadays. Second, it is very, very rare that data need protection over a term of ten years, If the data is that sensitive, using the Internet at all needs to be seriously questioned.

But hey, Perl can handle it regardless. 8)