
Ask HN: Does anyone actually use Keybase? - aportnoy
Every other HN profile lists a Keybase public key and a proof, but has anyone actually needed to prove their identity on HN? Does anyone use Keybase for encrypted communication?
======
ShakataGaNai
I have used Keybase since it first showed up on HN for Comms and Git.
Technically I have done the proofs for identity, but no one cares about that.

The Git usage was really nice. It's fast and secure. While I didn't use it for
most projects (because I want them on github/gitlab for various reasons), it
was very useful for backing up machine specific configs and history (using a
script and mackup). Knowing that it was well encrypted made me not worry about
what was being backed up, if there were credentials, etc.

As for comms, I used the 1:1 chat with a friend for quite a while. While it
worked, it's slow. Sending messages is a little slow, sending images is VERY
slow. Anytime the app is closed (like constantly on the phone), re-open times
were slow (for decryption). Eventually I gave it up and moved those few chats
over to Telegram (Because it's secure enough for most conversations).

~~~
rever
Did you consider Signal when you moved to Telegram, if so any particular
reason(s)?

~~~
amdelamar
I tried Signal and Telegram. But I prefer Wire instead. Its secure by default,
cross-platform, multi-device, and simple enough for Mom & Dad to use.

~~~
simplify
How does that differ from Signal?

~~~
espadrine
No Signal Web app. So, not as cross-platform.

~~~
solarkraft
Wire & Telegram are both cloud connected, while Apps on the Signal protocol
depend on your phone to be functioning and in reach AFAIK (huge
annoyance/problem for me).

~~~
newscracker
That's not true about Signal. You may probably be facing some bug that should
be reported to the Signal team.

Telegram is completely cloud based. So all your conversations, except secret
chats that are end-to-end encrypted, are stored on Telegram servers in plain
text for as long as your account is active. This is why you can get a new
device, activate it for your account and get all your conversations back on it
from the Telegram servers.

Wire and Signal work differently. They use their servers as a temporary
storage to hold your messages until the recipient comes online and then
deliver them. Wire also retains the messages for a few days to allow delivery
to multiple devices that a user may be using, with each device possibly coming
online at different times. Signal doesn't have to support this because it's
tied only to a single device, which is your phone.

------
Leace
I used it initially but then found out that bare gpg covers most of my needs.

For example:

\- passwords using pass [0] decrypted with Yubikey, and with Password Store
[1] on Android (the same repo, the same Yubikey),

\- FDE with LUKS decrypted on boot with Yubikey [2],

\- encrypted e-mails with Enigmail and K9/OpenKeychain on Android, works with
the same Yubikey 4C token! Web Key Directory on own domain for easy e-mail ->
key mapping,

\- OpenKeychain also has "linked identities" (verifying social profiles) but
at this point I consider it barely useful stamp collection,

\- for E2E instant messages Conversations [3] with OMEMO.

[0]: [https://www.passwordstore.org/](https://www.passwordstore.org/)

[1]: [https://github.com/zeapo/Android-Password-
Store](https://github.com/zeapo/Android-Password-Store)

[2]: [https://github.com/fuhry/initramfs-
scencrypt](https://github.com/fuhry/initramfs-scencrypt)

[3]: [https://conversations.im/](https://conversations.im/)

------
chrismatheson
I don’t, but I’ve rarely needed to send files etc to other hacker news users.

I would LOVE it if I could use keybase to send a copy of my passport to
companies (for example) which is nessesary for day to day life, and always
done in a redicously insecure way. :(

~~~
michaelmior
Sounds like what Telegram Passport is trying to do.

[https://telegram.org/blog/passport](https://telegram.org/blog/passport)

~~~
chrismatheson
Its a much bigger stretch to have companies change the underlying method of
verification instead of the method of transport though ...

------
leviathant
I've been using it for encrypted communication for years, but I only provided
an HN identity because I was essentially collecting stamps.

------
lapinot
Keybase is shitty. They had the ambition to somehow build a new generation of
keyservers, they built it using technology that could easily be a distributed
protocol and then they made it a completely centralized and commercial bs
crypto startup. So much waste since keyservers and distributed identity (and
reputation, and naming system in general) is a field where everything is still
to do. They could have overthrown DNS (machine names) _and_ HTTPS (certified
names; any CA-based ssl system) _and_ google contact ("people" names). I'm
very salty that they've diverted so much hype in that area for so few results.

------
johnnyRose
I use KBFS and encrypted Git almost every day.

I've never needed the identity proofs. The teams/chat features are great but I
rarely use those either. Maybe when adoption increases, but until then I'm
loving my free 250 GB cloud drive and unlimited Git repos up to 100 GB.

------
Nelkins
I use it solely for hacker cred.

------
ecesena
Prove identity: no

Encrypted communication (and files): yes, we use it for Solo, and we also have
a public team
[https://keybase.io/team/solokeys.public](https://keybase.io/team/solokeys.public)

------
absorber
I considered using it, tried registering but had some issues. Tried reaching
out to them but it seems like there is absolutely no way to contact them
(other than their twitter, which looks somewhat abandoned).

This made me pretty suspicious, but especially since
[https://keybase.io/support](https://keybase.io/support) is just another user
claiming to be Keybase support. That's a huge red flag in my book, more so for
a security product.

I don't know, but for me this didn't really inspire much confidence.

~~~
lokedhs
I've had good luck communicating with them on the public team keybasefriends.
They have various channels for different features, but asking on #general is
usually a good way to get help, either from someone from Keybase or someone
else who knows the answer to the question.

~~~
absorber
Interesting. I guess only being available for help on the app one made is one
way to crank up the number of installs.

------
eganist
Yes, mostly as a means of verifying identity across accounts.

I'd probably pay a few bucks a year (thinking 20) for the _base_ identity
service, if we're being frank. Even if the only separation between a free tier
and a paid tier is e.g. more service integrations and an uptime SLA... sure,
why not?

------
jachin
I use it. I've been impressed with all the improvements they've made over the
years. I've struggled to get other people to use it though, but I have had
some success and when I've talked other people into signing up it has worked
well.

------
hprotagonist
I use keybase almost exclusively as an encrypted git tool. My personal
notebooks live there.

------
cascom
It's hard enough to get people to use signal...

------
t0mbstone
When I first heard about it, I signed up for it and set it up on all of my
computers and devices.

I also evangelized it pretty heavily and managed to get about 10 other people
to use it.

Unfortunately, I ran into some pretty major issues with the desktop clients.
They seemed to be coded pretty poorly, eating up massive amounts of CPU and/or
RAM, and sometimes even causing my computer to freeze.

In practice, there also didn't seem to be much point to encrypting
conversations if there was no password required to actually see them (if
someone got a hold of my computer). And (at the time) there was no way to
delete a message.

Due to these issues, I ended up installing it.

I'm curious if things have gotten any better since then?

~~~
baumandm
Editing/deleting messages is now possible, along with options for
automatically expiring messages.

Not sure if the desktop clients have improved, but I haven't had any issues in
the last year or so.

------
Nadya
I've used it in several communities to prove identity and statements in cases
where I both have either authority or a need to be trusted, since I choose to
remain pseudonymous.

It's easier for people to grasp/verify than the alternative ("pure PGP"). They
go to /verify, paste in my message, and make sure it confirms as me. Keybase
being compromised is outside the scope of the threat model - the threat model
is mostly "impostors pretending to be me trying to get you to download
potentially harmful files". People have no reason to know who I am but they do
have a need to verify I am who I say I am.

------
nautist
I host my website on keybase and use git and messaging to do freelance jobs.
If anyone's interested here it is
[https://turbocafe.keybase.pub](https://turbocafe.keybase.pub)

------
sargun
I use it, in the sense my public key is on there, and I follow a bunch of
people on there, but since they invented their own crypto model, it's just a
place to store public keys.

------
ScarZy
I use it the git aspects of it heavily for projects where I get lazy and
should be using proper secret storage (for example Ansible playbooks with
secrets not secure...). This is far from ideal, but makes personal development
a great experience.

Secondly to that, we heavily considered and trialed it a work to unseal
Hashicorp Vault. You can add a single identity that is able to unseal, and
having that person verify in the keybase-esque method is a great idea.

------
INTPenis
Maybe if I had the need to prove my identity but I'm just an anonymous coward.

I do like keybase but practically in my day-to-day life GPG ends up filling
all my needs.

------
thraxil
We use it as a quick and dirty shared secret storage at work (when you need to
pass someone an API key or stash some service credentials somewhere). It
works, and keeps those things from sitting around in plaintext, but I've been
trying to move everything that's stored there to something like Hashicorp
Vault or GCP/AWS KMS so we have a proper audit trail and key rotation.

------
apatil
I've started using kbfs for personal notes and encrypted git for financial
planning code.

We're also trying Keybase out as a family chat channel. I really like the CLI
interface and the integration with kbfs, and of course the e2e encryption.
We're probably going to stick with Slack for now, though, mainly because it
runs on Chromebooks.

------
directionless
It has mostly replaced gpg in my usage. It's not common, but it's present.
HashiCorp Vault has a nice integration.

------
crgwbr
I’ve been using the encrypted git feature to backup dot files and other bits
of system config. At work, my dev team uses the FS and chat features for
sharing sending sensitive files we don’t want sitting around on email, google
drive, etc. Overall I think it’s a pretty great product and I hope it stays
around for a while.

------
etu
When it was new I was excited about it and it pushed me over the edge to
actually starting my usage of GPG and setting it up properly with smartcards
etc.

Then I started to go to keysignings etc and started using the keyserver
infrastructure etc.

And then it took a while and I realized that I never used keybase and removed
my account.

------
egwynn
I’ve had others use their browser-based encryption form to send me sensitive
data before — that’s pretty handy.

------
pixelperfect
Right now I use it for encrypted file storage and private git repositories
that I don't want anyone looking at. I don't have 100% trust in the security
of the platform, but I prefer it to Dropbox or Google Drive where the
probability of someone snooping around my files seems higher.

~~~
lokedhs
At least the Keybase code is open, so even if you can't personally validate
that it's secure, someone else can.

Neither Dropbox nor Google encrypts and keeps the keys client side, so not
trusting them is probably the right thing to do (also Dropbox has been
misleading in the past about their security, so that's another reason one
should be careful).

------
dfischer
I use it for private repos and convos. I want to use it a lot more. It just
makes sense. Unfortunately not a lot of people I know use it.

Add me if you care to make a pen pal.
[https://keybase.io/dfischer](https://keybase.io/dfischer)

------
james_pm
Our team uses it to share sensitive docs (logs, user details, api keys etc.)
and occasionally as a secure chat channel (i.e. if we want to communicate off
work Slack).

I have a copy of some important docs (taxes, etc.) in my private KBFS.

------
castillar76
I'm currently using it for git, principally for storing personal dotfiles
(.ssh/config, etc.) that I need on a couple workstations. It looks neat, but
it suffers from a mindshare problem as a social network.

------
KMuncie
Yes, I use its git feature for certain projects, and have used it for chat for
a while. I have found if I come across a developer who has a profile its the
easiest way to get in touch with them.

------
delcaran
I would use it if they provide a way to "lock" local installation or to make
it portable: I want to use it in my office PC, which can be accessed by lots
of people...

------
qertoip
Yes, it's critical to bind pubkey to identity:
[https://keybase.io/qertoip](https://keybase.io/qertoip)

------
vaer-k
I've reached out to people with it, and it turns out that they actually
respond! Who'd've thunk? It's nice for encrypted cloud storage too.

------
quickthrower2
A Keybase key could be used to signal you are a 'real hacker'. A bit like
using Vim, Emacs or butterflies could be used to that end.

------
TranquilMarmot
I use it for a few of my personal Git repos, but that's about it. Some file
storage but nothing too huge or important.

------
gelatocar
The Keybase filesystem docs still contain the text:

"At the time of this document, there are very few people using this system.
We're just getting started testing. Note that we could, hypothetically, lose
your data at any time. Or push a bug that makes you throw away your private
keys. Ugh, burn."

And considering that kbfs is one of the more mature parts of Keybase, it has
never inspired confidence in me that any of it is really ready for serious
use.

------
thebiglebrewski
I used it to sign my "will"...reading this reminds me I gotta get a real
lawyer to take a look at that!

------
ngonzal
I use it for git repo management on some of my home things. Have not used it
for much outside of that.

------
gip
Few engineers at my start-up were using keybase to share credentials between
them, as well as between company and/or personal laptops. A lot of information
was exposed to the wild internet (machine names, developer names, connection
between them,...) posing a clear security risk. My experience is that most
engineers do not understand how to safely use keybase at that point.

~~~
sargun
How is that information a security problem greater than say LinkedIn?

Also, I'm curious where machine names were being exposed in Keybase?

~~~
insomniacity
Machine names, example from a Keybase founder:
[https://keybase.io/chris/devices](https://keybase.io/chris/devices)

~~~
lokedhs
You choose those names when you add the device. It can be anything.

That said, it would probably be good if they added a note saying that the
device name you choose is public, which is not really clear in the current UI.

------
y4mi
specifically to prove my identity? no.

i used the filestorage/filesharing earlier and was happy about the git
repository support though.

there were however very few of us, and we all dropped it when they jumped on
the crypto currency wagon.

------
stock_toaster
I deleted my account after not using it for a long time for anything.

------
DanielBMarkham
Sure thing. I do.

I keep asking my friends to join up. Let's try the team feature!

So far, no luck.

------
joeblau
I created an account last week, but I haven't used it yet.

------
donkey-hotei
My current team and I use it to share files for the most part.

------
mnem
Frequently for chat and file sharing.

------
coralreef
For cloud storage backups

------
rman666
Why would anyone tell you if they did?

~~~
aportnoy
Why would anyone want to hide that? Not an expert in security, maybe I don't
have the mental model.

~~~
insomniacity
It's just a way of minimising your footprint. If you google me, and can't find
what services I use, it makes it that much harder to try and find a foothold
into hacking something, or building up a profile.

~~~
Nadya
Then you wouldn't be using Keybase if that was part of your threat model -
since a significant point of using it is to tie together and prove identities
across some popular sites on the net.

See: [https://keybase.io/nadya](https://keybase.io/nadya)

