what happens if ISPs are ordered to block all encrypted packets for which the DHS doesn't hold the keys in escrow?
Not gonna happen. This would be insanely computationally expensive. Real-time DPI hardware for an OC-192 link costs about $10K (IIRC), and that's just for unencrypted packets. Checking against a list of RSA, AES, etc. keys for each connection would require an astronomical amount of computing power, and that's just for one backbone.