What is Keybase?
If you look at my blog links, have followed me on Twitter, or received an email from my corporate "persona," you may have noticed a link to something called "Keybase" or "PGP." While I don't do a ton of secure conversations with any of my email addresses, I was interested in the process of achieving the elusive goal of a truly "secure" conversation chain. In 2016, I was sent an invite to join a new website called keybase.io their business model was the ability to post your public PGP key to allow other folks to send you an encrypted message or decrypt a message you had sent. For a brief description of how public-key cryptography works, here's Wikipedia:
So, now that you can prove the public PGP Key I'm sharing is actually mine, what can you do with it? Well, it's got 3 main uses.
If using something like Keybase sounds interesting to you or you want to get started using PGP, drop me a comment below. I have a number of invites to Keybase sitting on my account and would be happy to send one your way to try it out.
Disclaimer I am not affiliated with Keybase. Keybase has provided me with no incentives for this post. All the invitations were received by virute of being a user of Keybase. While I am happy to send you an invite, I may run out. I have no control of the Keybase services which may change at any time. All thoughts on this post are mine unless otherwise noted.
I had looked into PGP keys before but the issue had always been finding a way to make my public key available to anyone who wanted it. I had a key I had generated using OpenPGP, but since I had nowhere to easily point people to if they wanted to use it, it was essentially useless. I needed to solve the "Web of Trust" problem that I was having (described here by PGP inventor Phil Zimmerman via Wikipedia) before I could begin using PGP:Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.
As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.Since I was just getting started and none of my friends were using PGP, I had no web of trust to socialize my keys to. Keybase solved the issue by letting me vouch for my own certificate from other places I was known. You can see my original Tweet vouching for my Keybase identity if you scroll far enough back in my tweets, same with my GitHub and Reddit posts. If you and I know each other on Facebook, you can find it there. If you go into the DNS settings on my websites, you can see that I have information there tying them back to Keybase. This allows you to know that the owner of each of these public functions is also the owner of the key in question. Keybase allowed me to essentially become my own web of trust.
So, now that you can prove the public PGP Key I'm sharing is actually mine, what can you do with it? Well, it's got 3 main uses.
- Encrypting messages to me you don't want read by others
- Decrypting messages I have sent you
- Validating digital signatures I have placed on messages to assure you I actually sent them
If using something like Keybase sounds interesting to you or you want to get started using PGP, drop me a comment below. I have a number of invites to Keybase sitting on my account and would be happy to send one your way to try it out.
Disclaimer I am not affiliated with Keybase. Keybase has provided me with no incentives for this post. All the invitations were received by virute of being a user of Keybase. While I am happy to send you an invite, I may run out. I have no control of the Keybase services which may change at any time. All thoughts on this post are mine unless otherwise noted.
Comments
Post a Comment