I'm trying to wrap my head around your architecture, so I'm not sure which thing you are trying to authenticate. Are you trying to:
- check the web service caller
- check the web service provider
- both
And is the thing being authenticated a human using a program or the server itself?
And do you have to pass the service calls around and authenticate them at multiple points or is this strictly point to point?
And what is your assessment of risk? What bad stuff is the authentication preventing?
If you do your proposed #1, your authentication problem moves from the message to the server - if your server is physically protected and your authetication credentials to the OS are "strong enough" you're probably decently protected in where you've stored the password.
I'm confused on #2 - if you are reading in the passphrase interactively, why not read in the password interactively and not store the password at all? If the passphrase unlocks the password, handling the passphrase should be as careful as if you are handling the password.
The bigger concern with any password is where is it going, and how is it protected along the way. Using passwords within the web service will be risky if you are sending your web service messages in the clear. Also where are passwords checked on the other end, and how are they distributed to the server for storage for #1 and #2? This is just stuff to consider for any password based authentication mechanism.
Also - how often should passwords be changed and do you have a procedure for it?
And how much do you repeat the password? If you have exactly one password shared across every machine, the risk is much higher than a different password for each server/script or user, since you can disable them one at a time.