Why not get a wallet address that has not been encrypted then once you get the address (wallet.dat) encrypt it yourself with a key he has never seen. It seems much more logical. why he needs to generate a key at all is confusing to me, why not just generate the wallet address export the wallet.dat file and then allow the new owner of the address to encrypt it himself (UNLESS) he does plan on stealing the bitcoins from that address.