I plan to implement an encrypted messaging system on a website (I realize this isn’t the best place to do this). The website has php as a backend with a SQLite database.
This requires that messages are encrypted with a public key and decrypted with a private one. The public one (for each person) will be stored on the database (it will be sent to the client when they want to send a message). Messages on the server are stored and encrypted by this essential pair.
My question is, how should I store the private key? Each person will need one, and it needs to remain secret. Otherwise, other people could see their messages.
I think it is encrypted with the user’s password on the database. It is then sent to the client, who enters the password, and it is decrypted and stored as a javascript variable. It is then used to solve each message sent to the client.
Is this secure enough? Would it be better to store the private key differently on the client side, such as cookie/local storage, or not at all? Should more be done server-side?
Edit:
Alternativly I could do more server side. When messages are requested, the password will be sent from the client (manual input) to the server via POST. It will then be used to decrypt the private key that is stored in the database (encryted) and decrypt the messages. The messages will be then sent back to the client in plain text as part of a html page.
Should normal php variables ($varname) be used for this? Is it safe to store the password itself as a variable or session variable or should they be sent every time.