It is standard practice to send "plaintext" passwords over HTTPS. The passwords are ultimately not plaintext, since the client-server communication is encrypted as per TLS.
You are avoiding my argument.
You claimed that you don't have access to the private keys.
But you have access to the encrypted file AND the password. And therefore to the private keys.
And additionally, you didn't comment on this:
You claim that you prevent CSRF
with "SQL Injection filters":
We use SQL injection filters to prevent CSRF attacks [...]
So, my question still stands:
Are you incompetent or do you have malicious intend?
Or maybe both?