
Ask HN: Keybase Alternatives? - capableweb
Since Keybase is being acquired by Zoom (see <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23102430" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23102430</a>), it would be lazy to not start looking at alternatives already<p>I myself mostly use the following features from Keybase: Chat, KBFS, Git repositories and encrypting messages sent out-of-band via PGP in Keybase (and the various cryptographic tools [signing, validation etc])<p>What alternatives have the features outlined above, but are ideally either FOSS or at least not run by a for-profit company? I mainly used Keybase to make using those features easier, so please don&#x27;t suggest the cli of gnupgp (or similar) as alternatives.
======
lucideer
> _I myself mostly use the following features from Keybase: Chat, KBFS, Git
> repositories and encrypting messages sent out-of-band via PGP in Keybase
> (and the various cryptographic tools [signing, validation etc])_

While all these features are individually nice, I kinda started to worry about
Keybase as a product when they started bolting on stuff like this.

I think the key (pun intended) to stable & ongoing success in this space is to
focus on doing one thing well. Keybase was incepted as a service for signing &
validation. There's currently [https://keys.pub](https://keys.pub) for that.
I'd be interested to hear if there's others.

For chat, there's a lot of competitors to choose from. I like Riot.im.

For KBFS, Tresorit has been mentioned. I signed up, but haven't been super
impressed with their clients yet. I'm not sure what better options are out
there.

~~~
ceejayoz
None of these really worried me.

The Stellar airdrop was my "oh shit" moment.

~~~
geerlingguy
"Going crypto" is the new 'jumping the shark'.

~~~
spurgu
Then again "crypto" is what Keybase is all about.

------
SkyMarshal
I think the only complete alternative is to successfully persuade the Keybase
team to release their server code under an open source license. Their client
is already open source.

[https://github.com/keybase](https://github.com/keybase)

The only other alternative is a mishmash of multiple apps that each do part of
what Keybase does.

~~~
capableweb
That would be really great, but feels like very unlikely as well. If they
could open source it, why didn't they do it before?

~~~
ahnick
Probably, because it provided them with more likely paths to monetization
having everyone dependent on their server infrastructure. An argument could be
made that if Zoom wants to build positive equity with the security community
then open sourcing the Keybase server might be a good way to do that.

~~~
mdkrkeo9
The only positive Zoom is interested in is the rate of growth in their bank
account.

------
sylvain_kerkour
Hi, I'm developing Bloom[0] which is an entirely FOSS encrypted[1] and
offline-first (but with multi-devices sync!) productivity app which features
Files, contacts, calendar and notes. So no chat nor Git, but everything else
:)

If you are interested in joining the (coming soon) beta, feel free to contact
me: [https://bloom.sh/contact](https://bloom.sh/contact)

[0] [https://gitlab.com/bloom42/bloom](https://gitlab.com/bloom42/bloom)

[1]
[https://gitlab.com/bloom42/bloom/-/wikis/security](https://gitlab.com/bloom42/bloom/-/wikis/security)

~~~
alexriabtsev
am I right that it's Google apps FOSS alternatives?

~~~
sylvain_kerkour
Yes :) I launched it last June but it was a webApp. Time have passed and the
project has switched to native apps to offer what Google (and the web) can't
offer: offline first and end-to-end encryption.

So it offers the same services as Google, but with better (in my opinion)
features.

~~~
alexriabtsev
can I get beta invite?

------
jamieweb
I'm not seeing much mention in this thread of the cryptographically-linked
identities feature of Keybase, i.e. where you can link your Website, Twitter,
Reddit, HN, etc.

As far as I know, that was Keybase's initial offering, which they then built
on top of to create a full suite of applications.

Although to play the Devil's advocate - while the feature is cool and
implemented nicely, I doubt that many people actually use it beyond the
novelty factor.

~~~
samatman
I've had one person use it to find me after a conference, confirm my various
online identities (he only had one handle to work with), and contact me
securely.

That leadededededed to paying work, so it was important even if it only
happened one time.

~~~
AnonC
> That lead to paying work

Typo: it should be “led”, not “lead”

~~~
samatman
typo corrected, thanks!!

~~~
streb-lo
: )

------
giancarlostoro
Since nobody's mentioned Wire, it's not a 1:1 alternative but it's close in
terms of chat. I don't think any 1:1 alternative to KeyBase will rise up
anytime soon, hosting git and files will be a bit to build up to.

Website:

[https://wire.com/en/](https://wire.com/en/)

Their backend is open source unlike KeyBase:

[https://github.com/wireapp/wire-server](https://github.com/wireapp/wire-
server)

~~~
Aachen
We've been using Wire in our company for a few years now, I can't say it's a
great UX or bug-free, but it gets the job done and supports most things we
want like being available on all platforms, key verification (proper e2ee, not
like Keybase that trusts the server on first use), (group) calling and (group)
video calling, audited, open source, sending files of course, timed/expiring
messages, no need for a phone number upon registering... it's really quite
complete if you're willing to put up with it being a sluggish web/electron
client. Well, and the network effect: I wish more people were on it so that
wouldn't be a barrier, but Keybase had the same issue there so this might be a
good place for Keybase users to continue chatting.

~~~
AnonC
Have to agree on the Wire clients being sluggish. I’ve seen this on all
platforms I use (even on mobile). Otherwise it’s so nice to have something
that doesn’t require a phone number and allows up to three accounts to be
setup in a client for free users.

------
rasengan
Handshake [1] is a great keybase alternative that doesn’t even rely on
centralization. All information is verifiable with the blockchain acting as
the root of trust.

[1] [https://handshake.org](https://handshake.org)

~~~
SkyMarshal
I thought Handshake was decentralized DNS server. Keybase is primarily a
secure chat app. Does Handshake have chat, chat room, and team chat
functionality too?

~~~
Hamuko
> _Keybase is primarily a secure chat app._

Isn't that chat pretty new in Keybase's history?

~~~
sleepybrett
Just over three years.

------
spladug
If you just want to share your public key safely, a .well-known directory on
your domain works these days:
[https://wiki.gnupg.org/WKD](https://wiki.gnupg.org/WKD)

~~~
Arkanosis
Just a quick note on WKD since I've been bitten by this a few days ago: as
soon as you set it up, some people will start using your keys automatically,
without even knowing it (eg. it seems that ProtonMail automatically uses keys
found on a WKD to encrypt outgoing mails). While in itself it's not a bad
idea, you'd better prepare for this to avoid looking stupid like me, when you
receive a casual encrypted mail and you're not able to read it (my private
keys are air-gapped and until now I only expected to receive PGP-encrypted
mail if it was worth the effort to read it offline).

~~~
oefrha
Using WKD is also a good way to solicit useless “security”-related emails from
people running questionable automated scanners.

~~~
Boulth
I think you confused this with security.txt standard. WKD is not enumerable
(unless explicitly configured like that) so the issue doesn't exist.

------
nanomonkey
Scuttlebutt is an open source p2p gossip network (no central servers) that
includes clients that implement chat, blogging, git and github replacements,
Shamir's Secret sharing (splitting up a secret by encrypting it so that a
number of your friends are needed to decrypt, via Dark Crystal
[[https://darkcrystal.pw/]](https://darkcrystal.pw/\])), games and probably
more that I am forgetting. You could easily place your public keys in your
user profile.

~~~
Aachen
Just looked in the repository, looks like there is an app for it on f-droid.
Do you have experience with Manyverse / would you recommend it?

app [https://f-droid.org/app/se.manyver](https://f-droid.org/app/se.manyver) /
website [https://www.manyver.se/](https://www.manyver.se/)

~~~
m52go
I've downloaded Manyverse from F-Droid so many times, hoping to finally use it
for real...but I never could. I was particularly excited recently when an iOS
app was released.

If you have a really close group of techy friends who don't mind hiccups and
tinkering and don't mind a strictly non-private social medium, maybe it could
work.

However, if you're trying to use it with normies, you might be disappointed.
Private messages don't work at all, in my experience. Syncing with a pub
server takes a couple of restarts, and there is no indicator in the GUI that
any syncing is happening, so the user is left guessing.

I have nothing but respect for Andre Staltz and all the dedication and work
that he and others have put into the app (and ecosystem) but, at least for me,
it's just not quite there yet.

~~~
627467
I'm only a recent user of SSB, many of the problems you describe seems related
to the inherent nature of the protocol making it hard to onboard (ie. You
almost always would need access to a pub to connect to the first few users).

On iOS you could try [https://planetary.social/](https://planetary.social/)

------
freewizard
I'm expecting Matrix/Riot has some of those like chat, and will develop some
more.

And there'll be definitely alternatives, which is the beauty of FOSS.

------
ianopolous
If anyone's looking for a fully open source, decentralized encrypted
filesystem similar to KBFS, then checkout Peergos[1][2]. It's built on top of
IPFS.

[1] [https://book.peergos.org](https://book.peergos.org)

[2] [https://github.com/peergos/peergos](https://github.com/peergos/peergos)

[disclaimer: Peergos founder]

------
atonse
I am also curious here. I have used and advocated strongly for Keybase with a
couple of local government clients to send sensitive files back and forth (not
sensitive in the sense of national security, but more to preserve privacy and
store encrypted at rest).

But I want to get ahead of the concern that Keybase is now owned by a Chinese
company, which instantly compromises it.

PGP is dead on arrival, since it's an overcomplicated mess.

Keybase felt like WireGuard for its use case, just dead simple and also
secure.

Update: I just want to clarify that I am happy for the Keybase team. This is
clearly an Aquihire meant to bolster Zoom's security talent. And as a Zoom
user, I'm generally happy about this development. But there will definitely be
a concern about them being acquired by a Chinese company.

Update #2: I thought about FooBarWidget and others' comments, and I'm going to
alter my wording. Zoom isn't a Chinese company, but their development team has
been entirely based in China all this time and there have been concerns about
that (which are entirely legitimate for certain groups like governments, in my
opinion), especially given their communications aren't e2e encrypted.

~~~
FooBarWidget
Zoom is not a Chinese company. The founder merely was born in China. He is US
citizen.

I am very put off by this anti-China rhetoric. Everything that even has a
remote connection to China is now under suspicion. This is madness.

~~~
vikramkr
Yeah, Zoom is a US based company. Yes, they have a development team in China.
It is valid to be concerned about the Chinese government exercising control of
some sort over the local development team to put in a backdoor, just as our
government seems to want to do to US developed products. No politicians really
seem to like encryption very much. This is an overall geopolitical risk not
unique to Zoom. But Zoom is not a Chinese company, it falls under US
jurisdiction. And sovereign security risks are not unique to Chinese
companies. Just saying that Zoom needs to be treated with caution because it
is a "Chinese company" is lazy and inaccurate, and incorrectly characterizes
both Zoom and where that risk originates.

~~~
atonse
Yes, and I've clarified and fixed my originally badly described wording. I'll
let Zoom describe this themselves.

From Zoom's S-1 [1]:

"In addition, we have a high concentration of research and development
personnel in China, which could expose us to market scrutiny regarding the
integrity of our solution or data security features. Any security compromise
in our industry, whether actual or perceived, could harm our reputation, erode
confidence in the effectiveness of our security measures, negatively affect
our ability to attract new customers and hosts, cause existing customers to
elect not to renew their subscriptions or subject us to third-party lawsuits,
regulatory fines or other action or liability, which could harm our business."

[1]
[https://www.sec.gov/Archives/edgar/data/1585521/000119312519...](https://www.sec.gov/Archives/edgar/data/1585521/000119312519083351/d642624ds1.htm)

~~~
vikramkr
Thanks for clarifying that, and yes, Zoom's s-1 writers did a good job of
laying it out. The risks are real, and presenting them in an incorrect way
makes it easy for people to dismiss the risks when they shouldn't. If the
times comes because they're a Chinese company, and you check and see that
they're a delaware c corp founded by a US citizen headquartered in the US,
that would lead you to discount that risk. Clarifying that the risk comes from
the development team being in a country where the government is in a
contentious trade relationship with the US with an authoritarian regime
(especially if the dev team isn't in one of the special economic zones) helps
highlight what the risk is and confirm that it is a real threat.

------
cybdnb
Thanks keybase for the free 100$ worth of lumens. You'll be remembered fondly.

~~~
3JPLW
What have you done with your lumens?

~~~
aquabeagle
Immediately sold them and kept the cash

~~~
coldpie
The most embarrassing pump-and-dump in recent memory.

~~~
l33tguy
I will always love them for this.

------
divbzero
The Keybase acquisition is a reminder of the potential fragility of using
centralized services (root servers, GitHub, CAs) to support decentralized
tools (DNS, Git, TLS).

> ideally either FOSS or at least not run by a for-profit company

I agree with these aims, but _ideally_ I’d hope for the alternatives to be
decentralized as well.

------
frellus
Why not Mattermost ([https://mattermost.com/](https://mattermost.com/))? If
the key feature of keybase was encrypted chat, seems like Mattermost solves
the problem.

Or Signal?

~~~
mawalu
Why would mattermost solve that?

------
SamWhited
For e2e encrypted chat there's
[https://conversations.im](https://conversations.im). I've been using it for a
while since it lets me bring my own domain and have been very happy. The
Android client supports encryption with PGP keys and OMEMO (a double ratchet
like Signal uses with some nice key trust options added on top to make it easy
for novices, but configurable by experts).

~~~
m4lvin
A few days ago Conversations also learned how to make audio and video calls
:-)

------
hexandcube
I've only heard about [https://keys.pub](https://keys.pub)

------
karanganesan
Signal App - Completely open source

[https://signal.org/en/](https://signal.org/en/)

~~~
expialidocious
Does signal still require me to share a phone number?

~~~
nske
It does (or at least did, when I was using it). It only requires it for
registration, so you could even use a disposable phone number, but regardless
it is a nonsensical choice for something that could aspire to be a general-
purpose chat application.

The server is open-source so you could host your own server -though that's not
very practical due to the client situation (not really a variety of
configurable ones, so you'd probably need to change/package/distribute the
official).

------
mvanbaak
Chat: Pick one of the many available. telegram, signal, wickr etc etc

KBFS: personally I switched to gpg encrypting important files on a NAS with
encrypted backups to amazon glacier and backblaze.

Git: gitlab, github, bitbucket (just to name a few)

Encrypted messages out-of-band: Just use plain pgp/gpg

~~~
tonyarkles
> Git: gitlab, github, bitbucket (just to name a few)

None of those hide the contents of your repo from the company that's hosting
it. I suppose self-hosted Gitlab hides it the same way that Keybase does (the
company's software sees your repo, but it's not stored in plaintext on their
disks)

~~~
frio
Yes. I _love_ Keybase Git for instant, immediate, safe backups of private
repos. Keybase Git has been an absolutely killer feature for me since it came
out and I'll miss it terribly if Keybase-the-software takes a turn for the
worse. Now is the time to ensure I've got everything properly backed up, I
guess.

[https://github.com/spwhitton/git-remote-
gcrypt](https://github.com/spwhitton/git-remote-gcrypt) is probably the best
alternative for now, but I'm wailing and gnashing my teeth at the prospect of
going back to PGP keys. Maybe there's some way to intersect
[https://github.com/FiloSottile/age](https://github.com/FiloSottile/age) and a
git remote.

~~~
frio
... and
[https://rovaughn.github.io/2015-2-9.html](https://rovaughn.github.io/2015-2-9.html).
Maybe a weekend project hiding in here somewhere.

------
FunnyLookinHat
The big feature for me is easy and secure backup of things like dotfiles (and
it not being secured ONLY by a password). I may just combine gpg and a private
S3 bucket now along with some simple bash tooling.

~~~
mk4p
Exactly how I'd been using it - keeping my dotfiles in a git repo that's not
at GitHub.

------
CalmStorm
I have been working on this decentralized key-value database:
[https://github.com/kevacoin-project/kevacoin](https://github.com/kevacoin-
project/kevacoin) Together with W3C's draft Decentralized Identifiers (DID:
[https://www.w3.org/TR/did-core/](https://www.w3.org/TR/did-core/)), it could
provide a decentralized alternative.

Not sure what is the best way to verify Twitter/Github account though. This
has to be managed by users themselves. E.g. one user posts a proof in the
Twitter account, the other user verifies the proof by checking the proof
against the public key posted in the database.

~~~
SujiYan
Take a look of GunDB for DB?

Also for binding social account -- maybe take a look of
[https://Maskbook.com](https://Maskbook.com) &
[https://github.com/DimensionDev/Maskbook](https://github.com/DimensionDev/Maskbook)
\- able to send encrypted post/comment on fb/twitter etc

------
SujiYan
We're working on a solution for user to link their Fb/twitter identity to a
decentralized ID and post encrypted post/comment (even sending any crypto
over) on Fb/twitter only viewable by friends *(not able to decrypted by Fb or
NSA) -

[https://maskbook.com](https://maskbook.com)

Source code:

[https://github.com/DimensionDev/Maskbook](https://github.com/DimensionDev/Maskbook)

For now we're trying to integrate decentralized FS solution as well so
eventually Fb/twitter can be merely an infrastructure layer

------
Yeri
keys.pub does the signing/validation part

~~~
VectorLock
keys.pub felt a lot like keybase when I first saw it. Now it seems like a no
brainer go to replacement.

------
tkeeler
I'm a light user of Keybase and used it primarily for validation & signing.
The social identity verification was quite nice. It seems that's what most of
the users here were using it for.

My suspicion is while we're not likely to see much new development from
Keybase, the existing capabilities aren't likely to go away for some time.

The premise of validation/signing isn't a technically complex approach and I'm
sure someone can create and FOSS it. The question however is - what features
would you want integrated and what things did you find annoying?

------
niyikiza
What's a good business model for this kind of
company?[https://news.ycombinator.com/item?id=23106043](https://news.ycombinator.com/item?id=23106043)

~~~
dennyabraham
I would pay business money, for a way to manage, simply and conveniently,
trusted developer identities (via a web of trust) to validate software
packages. This is something of a larger concern, but if that was their product
goal, it is a thing I would attach a dollar figure to

------
zsoltsandor
You can do the PGP part in a decentralized way with notations and proof-
specific posts - including HN:
[https://metacode.biz/openpgp/proofs](https://metacode.biz/openpgp/proofs)

And then there is WKD if you have a hosted site:
[https://metacode.biz/openpgp/web-key-
directory](https://metacode.biz/openpgp/web-key-directory)

------
rebblumstein
Can someone ELI5 why an alternative is really needed here?

~~~
rasengan
There needs to be a way to verify keys and identity when using encryption as
well as when using public key operations as a method of authentication in
general.

Keybase, a centralized service, provided this ability [1]. Now that it was
acquired by Zoom who has a history of poor privacy policies [2], people are
looking for an alternative. One suggested alternative is Handshake [3], a
decentralized system.

[1] [https://book.keybase.io/guides/proof-integration-
guide](https://book.keybase.io/guides/proof-integration-guide)

[2] [https://www.theguardian.com/technology/2020/apr/02/zoom-
tech...](https://www.theguardian.com/technology/2020/apr/02/zoom-technology-
security-coronavirus-video-conferencing)

[3] [https://handshake.org/](https://handshake.org/)

------
ParadisoShlee
Hopefully something with Activitypub can be created... splitting up lots of
independent Keybases connected using federation protocols would be rad.

------
INTPenis
The main thing I miss about keybase is the signing and verification of public
resources like Github, mastodon accounts and personal websites.

------
ereyes01
upspin.io seemed like a strong decentralized alternative from the same people
who maintain the Go language, but unfortunately it seems defunct, judging by
it's GitHub activity. Anyone know if it has been forked and maintained
elsewhere?

------
baby
A bit late, but I just wrote
[https://cryptologie.net/article/502/alternatives-to-
pgp/](https://cryptologie.net/article/502/alternatives-to-pgp/)

------
sterlind
I host a git repo on Keybase. Is there a replacement specifically for this
feature? I don't want to host the plaintext on any cloud, but I want the
ciphertext to be highly available and easily re-encrypted in case of
compromise.

------
gnu
keybase is unfortunately one of those programs that combine many things into
one - somewhat antithetical to the Unix philosophy of doing one thing well.

For kbfs, tahoe-lafs is a nice alternative. I don't know about the fuse
interface as I haven't used it, but it has some solid fundamentals behind it,
actively being developed and can be self hosted.

GPG still works! GPG also is a swiss army knife, unfortunately. There is
OpenBSD signify (or minisign) if you want signatures.

There is also age -
[https://github.com/FiloSottile/age](https://github.com/FiloSottile/age)

------
stickac
[https://keys.pub](https://keys.pub)

------
vbezhenar
GPG works, I don't know why anyone thought that anything else is needed.

~~~
wglb
See [https://latacora.micro.blog/2019/07/16/the-pgp-
problem.html](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html).

I don't recommend it.

------
eddieoz
Bitrated is an interesting alternative for identity/reputation validation -
wot based: [https://www.bitrated.com](https://www.bitrated.com)

------
neets
Can someone suggest an alternative for encrypted git?

~~~
Snawoot
git-remote-gcrypt: [https://github.com/spwhitton/git-remote-
gcrypt](https://github.com/spwhitton/git-remote-gcrypt)

It's available in most distro repositories and works with almost any
underlying remote repos.

------
wayneftw
Honest question: What function does a server perform in end to end encryption?

Because I see that the Keybase client is open source but not the server…

~~~
xrd
You have to exchange data (public keys and the actual encrypted content) and
if you can't do that peer to peer, you need something that facilitates that.
For example, webrtc clients can talk over an encrypted channel to each other
p2p if they are inside the same network. If not they need a TURN server to
relay that information and do NAT (firewall traversal). For obvious reasons no
one wants to be the service provider of anonymous encrypted content, hence a
business opportunity.

------
covidcovidcovid
10 years ago I was able to get good result from ads, but now it is an absolute
waste of money and it's not worth it anymore.

------
acasajus
protonmail for mail/chat and protondrive (when it's released for kbfs) or
tresorit

------
misrab
Ethereum.

~~~
hexandcube
What does Etereum have to do with keybase?

------
lihaciudaniel
Unironically WhatsApp it has its own end to end encryption

------
zelly
[https://pgp.mit.edu/](https://pgp.mit.edu/) has been around before and will
be around after Keybase is long gone.

------
client4
I'd suspect this is jumping the gun a lot bit. Keybase was running a free
service for years and has matured a lot in the last year (post crypto
debacle). There's nothing stopping them from 1. Letting Keybase go into
maintenance mode. 2. Donating the server to a foundation. 3. Open sourcing
there server.

In all these scenarios Zoom gets better security which is a win for the world
:)

~~~
AlexCoventry
> In all these scenarios Zoom gets better security

I'm more worried about the scenarios in which keybase gets worse security.
Zoom's attitude to security is terrible.

~~~
trog
I am even more worried about the scenarios in which the rest of keybase ceases
to exist if Zoom decide its not worth keeping online!

