Secure method for storing/retrieving a PGP private key and passphrase?

Question

I have a web application that needs to store server login information. I\'m using a 2048bit PGP public key to encrypt inserted passwords (see the insertServerDef

Answer 1

I may be doing something similar to you. I currently wish to protect personal information on a local web server database, so I am encrypting it with a public key (stored on the web server itself) and decrypting it with a private key stored in a cookie with a short lifetime (30 minutes for me).

Over an SSL connection, this will keep the key from falling into the wrong hands, and it doesn't store it on the server. Ideally I should double-check that PHP doesn't cache cookie values on the server, but even if it does, this security layer still represents a bigger hurdle for attackers than simply stealing the plaintext database.

Whether this would be a good approach for you depends on whether your application needs to access server credentials even when users are not logged in via the web. In my case, decryption is only required via the web app, so the cookie suffices. However if you need unattended use, you will need to store the private key on the server.