Req. advice on automated gpg batch job and storage of private key/keyring offline

John French johnlfrench at
Sun Sep 14 18:18:19 CEST 2008

I need to store credit card numbers in my server's database (server
co-located elsewhere).  I want to keep the public key on the server to
encrypt the card numbers when entered by account holders and prior to db
storage.  I have to keep the cc number on record for recurring billing
purposes.  It makes me feel more secure to keep the private key and private
keyring (passphrase or not) off the server.  When its time to run the cards
against the cc merchant account, I'd like to go to a password protected ssl
page on my site and enter (paste)  the key as ASCII (armored) and allow the
php script to decrypt the cc numbers, process them and exit, all in memory.
Is there a way to go about this?  I've been testing and can't decide on a
good way to accomplish this task.  If I remove th eprivate keyring, I have
noticed that gnupg complains about the keyring being missing and goes so far
as to recreate it.  I have thought that it may be best to keep the private
keyring on the server and password protected but empty (not sure this is
possible, haven't tested), and from my php/ssl script, send the ASCII
armored private key and keyring passcode.  The script would import the key,
run the decryption and remove the key from the keyring as the last step.  It
password protection on the keyring would keep the key safe if the script
bombed while the private key was on the ring.
Can anyone offer advice or procedures on a good safe way to accomplish this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080914/69d70a97/attachment.htm>

More information about the Gnupg-users mailing list