Keybase: PGP encryption made easy
Posted on Sat 21 October 2017 in HowTo • Tagged with GnuPG, PGP, Security, Encryption, Keybase
Using PGP can be quite hard, even if you have a lot of experience with computers. By the way encryption is what gives us privacy and permits us to safely transmit information and for this reason it should be easy to use, for everyone.
Keybase really makes encryption easy to use.
When Keybase was launched it was mainly a wrapper for PGP commands to encrypt and decrypt a message for a certain user, but it also introduced a very nice chain of trust.
In Keybase it's possible to either generate a new PGP key or import an existing one but the most important thing is being able to verify our own identity using multiple proofs.
Many of us have a personal blog, a Twitter or Facebook accounts, a GitHub account etc... All these accounts combined together make our online identity.
Every Keybase account can be verified by other online identities. In Keybase you don't just say "I'm Andrea Grandi, this is my PGP key...". In Keybase you can link your existing online accounts to your Keybase account and show additional proofs of your identity.
Unless an attacker controls all your social accounts, they cannot impersonate and verify themselves as if they were you.
Once you are on Keybase, other users can look for you even using your GitHub or Twitter username without having to know your email address or Keybase username. This concept can be very useful in some situations, we will see it later.
One of the first features launched by Keybase was their encrypted filesystem. There is a virtual folder located at /keybase (on OSX/Linux or k:\keybase on Windows) where you will find at least three other folders: public, private, team.
Anything you place inside the /public folder can be accessed by any Keybase user and it's automatically signed. Every user public folder/file can be accessed using their Keybase username, like for example /keybase/public/andreagrandi/hello.txt but you can also use any other identity like /keybase/public/[email protected]/hello.txt or /keybase/public/[email protected]/hello.txt
Note: This is very useful if you only know a person on Twitter (or GitHub etc...) and you want to share a file with them (or send a message, as we will see later) but you don't follow each other and you can't reach them privately.
This is a public folder example of one of the Keybase developers:
You can put whatever you want in these folders: your public PGP key, your official avatar, your Signal fingerprint etc... the other users will access these files with the assurance they haven't been changed by anyone else in the middle.
Note: please keep in mind that Keybase doesn't work like Dropbox or similar. Files are not synced between your devices and Keybase servers. Files are streamed on demand, so you won't be able to access these files without a working Internet connection.
Hey but... where is the encryption here?! Whatever you put inside your private folder can only be read by you and only you. Not even Keybase employees can access the content of your files, because they are encrypted before leaving your devices and decrypted on demand when you want to access them.
Do you want to share files with anotheruser? No problem. Just create a file inside /keybase/private/andreagrandi,anotheruser (the folder andreagrandi,anotheruser will implicitely exist already) and that file will only be readable by you and anotheruser.
Security and other information
Keybase employes only have access to: 1) your top level folder names (like: "andreagrandi,anotheruser"), 2) when and for how long you are reading/writing, 3) how much space you are using.
They won't be able to access the content of your files and not even the files or folders names.
Every user initially had 10GB quota available, but a few hints (including one of their recent screenshots) say that now users have 250GB available to store their files.
You can find more technical information about Keybase encrypted folders in this article: https://keybase.io/docs/kbfs
A few months ago Keybase introduced the encrypted chat. Messages between users are end to end encrypted and cannot be read by anyone else, not even having access to Keybase servers.
A better address book
When we use services like WhatsApp or Signal, we are forced to share our telephone number if we want the other person to be able to contact us.
On Keybase I don't need to share my telephone number. Anyone can reach me using one of my online identities: [email protected], [email protected] etc...
You can even send a message to a person who is not on Keybase yet: if you send a message to [email protected], when randomuser joins Keybase and verify their Twitter account, the message will be encrypted for them and will be safely delivered.
Keybase doesn't use PGP to encrypt chat or files. Transmitting the key across all devices wouldn't be safe so each message is encrypted using the public key of every device connected to the account.
Keybase works from the command line too. There is no need to use the graphic client to send a message to another user, you can do something like this:
keybase chat send andreagrandi "Hello mate!"
You can integrate messages in any script and it's even available a JSON API:
keybase chat help api
For more details you can have a look a this blog post on their website: https://keybase.io/blog/keybase-chat
Keybase has recently introduced Teams feature. The Chat becomes more similar to Slack, but with the difference that only team members can read the content of messages and files: the server only knows about team names and users, nobody else can access the content.
It's important to mention that in Keybase there aren't private channels like there are in Slack: if a team wants to have channels accessible only from a restricted group of users, the admin needs to create a sub team. For example if you have a team called keybaselovers you can create a sub team for admins only called keybaselovers.admins
Teams have a dedicated encrypter folder that you will find under /keybase/team/keybaselovers
At the moment the features available from the UI are quite limited and are only available from the command line. In the next weeks these features will be available from the UI too. In the mean time you can have a look at the commandline help:
keybase team --help # for admin'ing teams keybase chat --help # for admin'ing chat channels
Create a Team
keybase team create keybaselovers
Add a user to a Team
keybase team add-member keybaselovers --user=alice --role=writer
For more information you can have a look at the official announcement page: https://keybase.io/blog/introducing-keybase-teams
Sometimes we have the need to store private information in a safe way and we want to be sure that nobody else is able to access these information.
Latest feature that has been added to Keybase is encrypted Git repositories. They are like normal GitHub repositories, but their content is stored in a safer way.
Privacy and Security
What is the difference with GitHub private repositories? In GitHub a private repository is used to store information that only our account can access, but the files are accessible in plain text by GitHub employees. With encrypted Git repositories instead, the information are encrypted before they leave our device and they are stored encrypted. Nobody, without having our private key can read them, not even Keybase employees.
Teams and Quota
Encrypted Git repositories are of course available for teams too. Creating a team repository, it will be available to all the members of the team.
Both teams and single users have 100GB of space available (which is separate from Folders quota).
If I create my personal repository called documents all I have to do to clone it and use it is:
git clone keybase://private/andreagrandi/documents
and I can use it as a normal git repository. Every time I commit and push something, the content will be signed and encrypted and only available to the repository owner (which is me) or to the whole team if it's a team repository.
For more information, please have a look at the official announcement here: https://keybase.io/blog/encrypted-git-for-everyone
Keybase is still in continuous development but it already offers a few interesting features which can help people in their every day life. I strongly advise anyone to get an account, play with the available features and report any bug so the developers will be able to fix them and build an even better product. I can't wait to see the features they will announce in the next months!