Encryption and guest users
I have a website where a registered user can exchange any number of offline messages with a guest. The guest only has to enter his e-mail address and should not have to create an account. The messages should be stored encrypted on the server. If there is a new message for the guest, he should only receive a one-time link by e-mail, with which he can decrypt the messages.
The requirement should only be that a hacker who steals the database cannot decrypt the messages. I thought I'd use a public/private key method and attach the private key as a GET parameter to the https link. It is never stored anywhere at any time and is only in RAM. The problem is that the private key is very long and of course I don't feel good about transferring the private key to the server.
Is there another (better) way, without any password input, or client software, just with a link via email?
