Hi there, I'm in the process of designing a web application that will require the storage of GPG keys in an encrypted format in a database.
I'm planning on storing the user's password in a bCrypt hash in the database. What I would like to be able to do is to use that bCrypt to authenticate the user then use the combination of the stored bCrypt hash and another hash of the password to encrypt and decrypt the GPG keys.
My question is whether I can do this without reducing the security of the password? I was thinking I may be able to use something like an HMAC-SHA256 of a static string using the password and a salt as the secret key.
Is there a better way to do this that I haven't thought of?
Thanks