The Recovery agent can encrypt the decrypted keys using a one time passphrase (OTP), then it sends both the encrypted passphrase and the key to the user. For secure OTP transfer, make sure that the Recovery agent uses an out-of-band communication or a separate e-mail communication to send the passphrase and the key to the user.
All the keys are Base 4 encoded for easier data exchange. The key is highly vulnerable during transfer if it is not encrypted with the OTP.