I'm designing a system to hold protected user objects, potentially using their passwords as in this article Encrypting sensitive data in software and storing/decrypting it on a server.
When a user forgets their password, I need a method to reset their password but also recover and re-protect their user object. I want to automate this process using some self-service portal.
I had considered using some asymmetric encryption to additionally encrypt the user object during the original password encryption, where some remote system with access to the private key can recover the data and then allowing the user to specify a new password and then re-protect their object.
Are there any existing patterns that could achieve this?