[joosters]

How much protection does this really give? If you manage to hack the web server, then you can quickly feed the HSM/software daemon unlimited amounts of chosen plaintext to encrypt. Would this make it possible to recover the private keys?

[cbhl]

Provided that a large enough private key is used, using a "chosen-plaintext attack" (the kind you describe) to obtain the key should be computationally infeasible with known attacks on RSA/DSA/ECDSA.

Much more likely that they'd just hack the web server and MITM you or something.

[nightcracker]

Any encryption algorithm that suffers from chosen plaintext attacks is considered broken.