
Ask HN: Is Keybase a reasonable solution for storing private keys/recovery words - blockstate
I know the safest option is to not store anything online, but considering the probability of losing physical documents, I&#x27;m willing to the make the risk&#x2F;reward tradeoff.<p>Keybase looks like an attractive option for encrypted cloud file storage. It is end to end encrypted and looks to be a security first platform. What are the attack vectors here? I like that only trusted devices can issue keys to new devices (meaning that even if my Keybase account password is compromised, the hacker still needs physical or remote control of one of my devices to grant file access on their computer).<p>Physical access is a problem, so a stolen laptop + knowledge of my password could screw me, but I use a lock screen, keep Keybase logged out at all times, have encrypted HDD, etc.<p>On top of that, I could also encrypt a .dmg file with another password and store that.<p>Opinions appreciated.
======
SteveJS
I use keybase to store a keypass db locked with a yubikey and a passphrase. I
have a backup yubikey, and a paper backup in a sealed envelope in a safe to
recreate the required yubikey. I also keep the pass phrase in a different
keypass db. When i write it out it definitely sounds a bit like ‘turtles all
the way down.’

I now store a backup of that keypass db, because there was a very short
inability to mount the private keybase directory which had me quite nervous
and feeling foolish for not already having a backup.

------
phren0logy
I have been pretty happy with the level of security keybase offers. For
example, this HN account got hijacked, and I immediately got a notification
from keybase.

As you said, nothing's perfect, but it's quite secure esp. compared to many
alternatives, and I'd have a hard time thinking of one that offers a similar
level of convenience to go with it.

~~~
notheguyouthink
What was the cause of keybase notifying you? Was someone trying to breach the
keybase account from information from HN?

~~~
clusmore
Not GP but my guess is the attacker removed the proof from his HN profile, and
KB sent him an email to let him know.

~~~
phren0logy
Yes, that's exactly what happened. It would have taken me much longer to
notice it myself.

------
pixelperfect
One threat with Keybase is that an adversary can wipe all data on your account
if they just have access to your email (see [https://keybase.io/#account-
reset](https://keybase.io/#account-reset)).

I haven't looked into it in detail but Tarsnap might be preferable.

