Ask HN: If you use keybase.io regularly, for what do you primarily use it? - twitchax
======
pstadler
Shameless plug: I wrote a little guide[1] how to use keybase.io and GPG to
sign git commits. It was posted on HN a while ago[2].

    
    
      "Ironically, only the first commit is signed."
    

[1] [https://github.com/pstadler/keybase-gpg-
github](https://github.com/pstadler/keybase-gpg-github) [2]
[https://news.ycombinator.com/item?id=12289481](https://news.ycombinator.com/item?id=12289481)

~~~
saycheese
Meta-HN-Comment: Annoying how HN locks post voting & commenting and you can't
repost the link either. Anyone know what HN's reasoning on this is, or for
that matter, why there's not a meta-HN?

(If my use of meta is unclear, see how Stack Exchange uses it.)

~~~
DanBC
I don't know why HN locks voting. I think it's about preserving history - that
was the reason given for the short time available to unvote or undown a
comment. (In this thread
[https://news.ycombinator.com/item?id=12073675](https://news.ycombinator.com/item?id=12073675)
)

HN has a duplicate detector. You're allowed to repost things that are on topic
and that didn't get much conversation, so long as you don't do it too much.
That link got > 100 comments and > 200 votes, so that counts (I think) as
substantial discussion.
[https://news.ycombinator.com/item?id=7544123](https://news.ycombinator.com/item?id=7544123)

HN doesn't have a meta because META == DEATH.

I'm tempted to set up a totally unofficial unsupported HN Meta community on
Imzy, but it's probably a bad idea.

~~~
l0b0
Have you read Jeff Atwood's Meta is Murder, and his subsequent Listen to Your
Community, But Don't Let Them Tell You What to Do? meta.stackexchange.com and
its sister sites have as far as I can tell been very successful.

------
sirsuki
We use it at work to share tmate ([https://tmate.io/](https://tmate.io/))
sessions. I wrote a shell script to save the session to our mutual shared
private keybase directory:
[https://github.com/sukima/dotfiles/blob/master/home/.bin/tma...](https://github.com/sukima/dotfiles/blob/master/home/.bin/tmate-
share)

------
lettergram
I use it to encrypt messages to friends / customers via Facebook messager,
Slack, or public forums when I'm dealing with sensitive data.

A few of my friends use this (which I wrote):
[http://lettergram.github.io/AnyCrypt/](http://lettergram.github.io/AnyCrypt/)

You may ask, "when do you really deal with sensitive data?" My answer, is a
lot more often than you think... The cool part about encryption, is I can use
it over an insecure line to communicate. For example, I can post encrypted
text here and only people I wrote it for can read it.

~~~
pul
You might want to be careful with intentionally publicizing encrypted data,
since it might only be secure for a limited time. Computation becomes cheaper
over time (making brute force more feasible) and new vulnerabilities in the
encryption algorithm can be found.

~~~
lettergram
Totally agree, I assume the average HN reader knows this.

Regardless, ill try to be more careful in the future.

------
Zalos
I saw keybase.io as a public key directory which makes it easier to find
friends, family and colleagues public keys. That´s my intended use of
Keybase.io. I haven´t actually used it yet for anything serious, although I´ve
found ways to use PGP public/private keys to encrypt and decrypt local files
on Mac and Windows, e-mails using mailvelope or keybase.io so that should take
care of everything. But if people don´t adopt it I´ve got no use for it. And
people around me didn´t take to Keybase as such it´s just sitting there so
that maybe eventually I can use it. Right now it´s kind of useless.

------
tristor
At my company we use Keybase to help us validate keys for new employees as we
bring them into the fold, since the company is 100% remote. We also use KBFS
for some tasks as well. You can see more in the article I wrote for our
company blog about our using of GPG + Keybase + Git + Hub for commit signing +
KBFS at [https://eligible.com/blog/commit-signing-with-git-hub-
keybas...](https://eligible.com/blog/commit-signing-with-git-hub-keybase-and-
gpg/)

------
viraptor
I used it once - to coordinate a project ownership transfer with a person not
typically using pgp. Explicit message "this person is XYZ on GitHub" helped.

------
rdw
Sharing secrets with remote co-workers. It's easy enough to use that I can
expect pretty much anyone to be able to figure it out in real-time.

~~~
petetnt
Ditto. Remote and non-remote, secrets and other slightly-less-but-still-
somewhat secret files. Before that we handled it via 1Password, but it's so
handy to just `cp` the files to the private/you,co-worker folder and do
whatever you need with the files.

------
eloisius
Sharing .env files full of secrets to bootstrap a project. Typically just dev
credentials, not production, but still a nice way to hand those semi-sensitive
data around easily, and without committing them to git.

------
poorman
I use it to sign my git commits.

Never really thought about using it to share credentials but I might give that
a try.

Feature Request: I'd love an easier way to find the keybase accounts for my
friends on twitter.

~~~
poorman
Oh, one more feature request. I'd like to be able to verify the identity of
people on Venmo.

------
buro9
I use it as the primary way to exchange secrets with others.

This isn't regular use as I don't regularly have secrets, but I've used it to
exchange passwords, 2FA QR codes, and other sensitive data like this, with
people with whom I'm remotely communicating with.

~~~
malgorithms
Internally (I work at Keybase) we use it even more for the opposite. We do use
it for secrets, but very often we put public info into KBFS we want to verify.

As an example, a number of us use it to address pain points around SSH. I keep
this: /keybase/public/chris/keys/ssh.txt (you can see them on
keybase.pub/chris/keys/ssh.txt ), and I keep all my known hosts as a reference
in another file (that one in my private directory)...so when I'm SSH'ing to a
machine from a new one I never have to say yes to connecting to a fingerprint
I haven't actually verified. If I don't recognize a fingerprint then in turn I
contact the appropriate party using Keybase, get a confirmation, and then add
it to my file.

I'm bringing up SSH because we're thinking of making SSH public keys an
important part of Keybase and curious if others share the same pain point. You
mentioned a bunch of team uses and wondering if this was part of your use too.

~~~
twitchax
Haha, hello from [https://keybase.io/twitchax](https://keybase.io/twitchax)!

This is interesting, and I am super glad that you are here, haha. I am about
to (in 2 hours) give a presentation on keybase.io for a MS-level cryptography
course. I like all of the features, but I was curious what the primary goal
was.

I see a lot of people mentioning the encryption tools (which are awesome and
easy-to-use); however, I cannot help but think that keybase.io is really about
identity proofs and signing. Would you say that this is the case?

If so, are there any plans to, say, add driver's licenses, passports, or other
documents to a user's signature chain? There are some countries which actually
give citizens public/private keys for cryptographic purposes like voting,
etc.? I ask about this specifically because my professor is Josh Benaloh
(author of the Benaloh cryptosystem
[[https://en.wikipedia.org/wiki/Benaloh_cryptosystem]](https://en.wikipedia.org/wiki/Benaloh_cryptosystem\])),
and one of his major passions is voting and identity proofs for internet
users.

Thanks for joining in, by the way!

Bonus question if you have time: any thoughts about forward secrecy as part of
the encrpytion stack in keybase.io?

------
charlieegan3
We've used it a couple of times recently to share credentials with a remote
team.

~~~
twitchax
Interesting...any reason you chose it over other options?

~~~
charlieegan3
Other options - like team password managers?

It was kind of ad hoc thing; it's free and was easy to setup.

~~~
twitchax
Yes, I was just curious if ease-of-use was one of your primary goals.

------
CameronBanga
A run a small app development studio, and have a couple times a month where a
client needs to share login credentials to iTunes Connect, Google Play Dev
Console, Facebook, etc.

In those situations, I just give them my Keybase public encryption page, and
have them enter the credentials and then send me the cypher text. Works
fantastic, and much better than just sending via plain text over email or
Slack.

------
Nadya
Allowing people to verify my message came from me without needing to setup PGP
themselves. They can just use /verify and throw my message into it. By using
the signature consistently it raises red flags when a post of mine isn't
signed or doesn't verify.

Of course - this assumes Keybase has not been compromised, but that isn't an
attack vector I worry about.

~~~
synchrone
The point of keybase is to distribute trust in them across multiple (social)
trust-statements, so you don't even need to trust them Their implementation is
supposed to check all those twitter/github/dns trust statements to verify the
message.

~~~
Nadya
That only works if the message is coming from somewhere that can be linked
with Keybase. Say for example I sign a message on Voat rather than Reddit.
Then what? There exists thousands of sites that can't be paired with Keybase.

Pasting a message into /verify is a lot easier for people than installing
GnuPG and verifying it themselves. Still faster and more user friendly even if
they already have GnuPG installed.

------
mike-cardwell
Offsite backups. I use duplicity to back up my ownCloud servers data directory
to my kbfs private directory. There's not a lot of free storage from kbfs, but
I don't need much.

[edit] Otherwise, I haven't really found a use for it since setting it up.
Would probably be really useful if a tonne of people used PGP, but they don't.

------
morgante
I use it as a simple way to share credentials over insecure channels.

------
gepoch
I use keybase.pub to host a whole hugo [1] site. It was very easy to put it
together. Updating it is just a hugo + rsync to my keybase public folder.

I also stash some dotfiles in my private folder, and it's extremely handy for
sharing signal desktop client safety numbers with other crypto minded friends.
I use it for my ssh public keys as well.

I've also used it for snippets with coworkers (secrets or no, it's really nice
to be able to sent python /keybase/private/foo,bar/test.py in a chat window,
and it can be directly pasted without needing to share the script, or relocate
the paths in the command.

I feel like I've naturally developed tons of ways of using it at this point.
I'll probably come to depend on it, soon enough.

[1] [https://gohugo.io/](https://gohugo.io/)

------
zuck9
[https://xkcd.com/1553/](https://xkcd.com/1553/)

~~~
lionyo
Publishing My Private Keys:
[http://nullprogram.com/blog/2012/06/24/](http://nullprogram.com/blog/2012/06/24/)

------
jpetso
My previous company was looking into using it as a place to store the app's
public key for that user and find other users of the app (with their public
keys) while being able to verify them.

At the time, Keybase didn't have the appropriate APIs to allow third-party
integration like that. I haven't checked if anything happened on that front
since.

------
libeclipse
I use it to authenticate and encrypt sensitive messages to friends online,
over insecure channels.

------
tscs37
It holds my git-signing key. That's all I do with PGP atm.

------
omginternets
We use it to distribute public and private key pairs. The aptly-named "public"
and "private" folders are quite convenient for such things.

------
jonafato
Off topic, but related: I have some keybase invites available, and I'm sure
others do as well. Contact info in my profile if anyone would like one.

------
makach
just discovered it, looks like an interesting attempt to solve exchanging
public keys. feels wrong to put public keys in a cloud solution like this---

~~~
macrael
Why wrong? Is there a difference you see between a cloud service like this and
PGP keyservers?

~~~
makach
you shouldn't put your private key in the cloud..? ..or maybe it is considered
acceptable these days? theoretically--if you put your private key in cloud,
and you pass the passphrase you give everything to the man in the middle for
decrypting, but also give them the possibility to impersonating you.

~~~
morgante
You don't have to put your private key on Keybase servers to use Keybase.

~~~
makach
I noticed that you don't have to, but what is then the benefit of this web
site..?

~~~
defen
Seamless secure file sharing with decent identity authentication -
[https://keybase.io/docs/kbfs](https://keybase.io/docs/kbfs)

~~~
makach
it's only secure if you can ensure that no one has tampered with your keys. if
your keys are generated behind a service like this, how can you know that you
are safe?

~~~
defen
You can use Keybase without their ever seeing your private key.

------
explodingcamera
kbfs is pretty sick but I mainly use it for my git signing key :)

~~~
libeclipse
It's a nice idea but not really well-implemented.

~~~
omginternets
Why do you say that?

~~~
mike-cardwell
Not the parent, but a major issue with it is, it's _slow_.

    
    
      mike@snake:/keybase/public/mickeyc$ time ls
      index.html
    
      real	0m1.156s
      user	0m0.000s
      sys	0m0.000s
      mike@snake
    

The current client is not a syncing client like Dropbox/ownCloud, it's a
network fs client.

I don't know if the slowness is due to the requirement to access the network,
or the crypto, or whatever, but it will remain a toy unless they do something
about it.

I understand it's very much a beta though, so that's ok.

~~~
omginternets
Okay, that's understandable, but how do we know this is an implementation-
level problem rather than a fundamental problem?

~~~
mike-cardwell
[https://keybase.io/docs/kbfs](https://keybase.io/docs/kbfs) \- "Performance:
We've made no performance optimizations yet. There's a lot of low-hanging
fruit."

