> To decide on the storage container you have to ask how transportable
> and how interoperable your encrypts need to be. If they're only going
> to be consumed by your own applications or stored in your own
> archives, then you can roll your own formats. If not, then you face a
> documentation and support challenge whether you use a "standard" like
> PKCS7 or not.
>

The encrypted data is for our own applications only.  We have used a
variety of methods but now that I'm tackling it again I'd like to
decide this once and for all.   I doubt that I could brew up a
container any more efficient then just using PKCS7 via openssl, and
experience tells me that it's probably better to use a well known
standard.  I'm not going to be the one maintaining the code in the
long run.