I've been doing this for a couple of years. I never found a tutorial - just some very complicated manuals. I tried a half dozen solutions before I got it to work.
The first thing you have to know is that you can't embed the encryption key in the script. You have to put the key on your GPG keyring. The only way I know how to do that is at the Unix command line. I assume that iPowerWeb doesn't let you get to the command line but, in anticipation of this problem, they have built a way to import the key to your keyring.
First off... Your ISP only has to install the GPG software once and then, because you have separate accounts, you all get your own keyring. It's usually stored in a hidden directory called .gpg or something like that. When you add a key to your keyring, it's stored in your directory. Now when you invoke GPG, you specify what plaintext should get encrypted and what key it should use to encrypt the text. I'll dig that command up in a few minutes.
The problem for you is that DEcryption in GPG (and PGP for that matter) also works by specifying which key on the keyring should be used to decrypt the text. So pasting the decryption key into a form field isn't going to work for you because GPG doesn't accept the key as a string, it has to come from the keyring.
And of course, you don't want to put it on the keyring because if anyone hacked into your web site, they would be able to decrypt everyone's SS#.
And (I'm sorry for the lecture) that brings us to one of the most important aspects of security. When a server is connected to a network, the server that can encrypt MUST NOT be able to decrypt. If that server can do both, then your only protection on those SS#'s is your FTP password - certainly well below the actual strength of your 1024 bit GPG key. Even your solution of allowing employees to post the decrypting key in a form IS USELESS as a security measure because if I can obtain your FTP password, then I can modify your scripts to send me a copy of the secret decoder key when one of your employees enters it and then I can use it on the web site.
Now you might be saying, "Well, this is a little overkill. We're not Amazon.com." and that might be true, you're probably not going to get hacked. I'm just pointing out that if you use the techniques you've described then you've completely eliminated any benefit you were getting from using GPG.
In other words, don't even bother using GPG if you're just going to let the machine that encrypts also have the ability to decrypt.
So what's the correct solution? After you encrypt it, store it in a database on the server. When an employee wants to decrypt it, you have a simple routine to have the encrypted SS# emailed to your employee. That employee has GPG running on their local machine and has the secret key on their keyring. Then they can easily decrypt the SS#.
All you need to do to encrypt the SS# is put import your public key to your GPG keyring using iPowerWeb's nifty tool. Then use this command to run GPG and encrypt the SS#:
$encryptme = $users_social_security_number;
$gpg_path = "/usr/bin/gpg";
$home_dir = "/path/to/my/website";
$user_env = "apache";
$recipient = "email.address@on-your-public-key.com";
$cmd = "echo $encryptme | HOME=$home_dir USER=$user_env $gpg_path " . '--quiet --no-secmem-warning --encrypt --armor --always-trust ' . "--recipient $recipient";
$encrypted = `$cmd` ;
