oshiokiyo~
keybase
home
related
keybase
pgp
nacl
gpg
kbfs
keybase is a neat dude. if you've found yourself reading this, you're likely already familiar with it. if not, this post will get into some possible uses.

at its core, keybase is a way to ensure that the person you're talking to is who you think they are. a user can link accounts, websites, and encryption keys to their keybase user, creating a chain of linking proofs.

a common example is jeff. jeff has a twitter and a github. say you know him on twitter and want to give him access to a github repo. you look on his keybase page, it shows that he has proven ownership of both accounts, so you can trust that you're giving git access to the correct person.


website ownership is another useful feature, with both https and dns proofs available.

while proof-of-identity is a large part of keybase, the team offers users a number of tools, all free, from easy encryption to web hosting.
encryption
keybase makes encryption dead easy. it uses both pgp and nacl, as well as paper keys.

encrypted pgp public and private keys can be added to the service to support pgp operations in-browser, with all crypto done client-side. it is entirely possible to use keybase with your private key never being seen by the servers, doing all pgp operation with the keybase cli or gpg.

each device you install the client on gets its own nacl device key, and as a backup, full nacl keys called paper keys can be created.

a paper key is simply a list of random words, identified by the first two words. all three types of keys may be used to sign the proofs that tie your various accounts together, and can be used to encrypt information in several ways.
web
anyone with a web browser with js can encrypt a message to any keybase user who has a pgp public key on their pofile, through this page. anyone, even without a keybase account, can enter information there and send me the encrypted content.


if i had my private pgp key on keybase's servers, i could also decrypt that message in-browser (after entering my keybase passphrase).

anyone, even while logged out, can verify a signed pgp message from a keybase user. signing a pgp message through their website requires you to have uploaded your private key to their servers.

if that makes you uncomfortable, which it should, all of these operations can easily be done from the command line.
command line
when you install the keybase client, you get a pretty but under-active-development gui, and a nice cli.

encrypting with the command line is as simple as keybase encrypt username -m "here's a secret!", where the username is a keybase user's username. what a breeze that was! this uses the user's nacl device keys and creates an encrypted saltpack.


if you prefer using pgp, it's simply keybase pgp encrypt username -m "message". there are more flags that just -m.

decrypting is simply keybase decrypt -m "encrypted text here" or keybase decrypt -i inputfile. this syntax is the same for sign and verify, and all work for pgp keys as well.

if you don't like keybase's cli, you can do all these operations with gpg as well, using your same keypair.
kbfs
kbfs, the keybase file system, is a big nifty tool. it's a secure distributed filesystem, making it super easy to share files with both keybase users and the rest of the world.

when you run_keybase, something magical happens. the entire kbfs is mounted to /keybase/, or on windows to the K: drive. in this directory, there are two more, /keybase/private/ and /keybase/public/. things in the private directory are encrypted. things in the public directory are signed. automatically. when you move files there.

unlike other services like dropbox, keybase doesn't use a sync model. instead, files are downloaded when you access them.
private
my personal private directory, /keybase/private/lyk/, can only be written to and read from by me. a dir /keybase/private/lyk,you/ is encrypted and shared between any computers on which we've installed the keybase client. only we can put it, see what's in, and take out.

if you try to access someone else's private directory, you're met with the usual.


if we wanted only one other person to read from a directory, /keybase/private/lyk,you,#jim/ could be used to give the user jim read-only access.
public
now, /keybase/public/lyk/ is a directory where all files are signed by me. anything in here is guaranteed to come from me and only me. only i can write, but everyone else on keybase has the directory on their computer. this file you're reading is located at /keybase/public/lyk/www/keybase/index.html.

there's also /keybase/public/lyk,you/, where you and i can write, and anyone else can read. this could be useful for site admins to share news, or software developers to host signed releases. group shortnames are hopefully coming soon, so you could have /keybase/public/one,two,three,four,five,six/ aliased to something shorter to type, and so you could add a seventh person without having to change the directory name.

keybase.pub
keybase.pub is a domain where all single-user public directories are hosted. here is where my public files are located, which shows the same list of files as ls /keybase/public/lyk/.

in addition, lyk.keybase.pub also hosts the raw files, so curl https://lyk.keybase.pub/index.html is the exact same as cat /keybase/public/lyk/index.html. you can do this too!


now isn't that something! what a treat.
chat
the keybase team recently added chat to their list of features. encrypted chat between users. it's simple, can be used from the cli, and has a json api. hopefully a mobile app isn't too far away, now.
conclusion
in conclusion: keybase is cool. you can use it to ensure identities, encrypt secrets, and share files.

the chain of proofs is different from and arguably much easier and safer than key-signing and trusting traditional pgp web of trust. encryption is simple and easy enough for anyone to use.

with kbfs, sending a file to someone outside of keybase is as easy as copying a file into your kbfs public directory, as the files are automatically signed and hosted over https. if they use keybase, then /keybase/private/you,them/ is already a quick and easy encrypted bridge between your computers.

and remember, all of keybase is under active development and not yet fully polished.