Get a public key, safely, starting just with someone's social media username(s).
From there, unbounded potential!
Keybase is a people directory. Here are some random folks, if you'd rather just poke around.
> keybase id maria ✓ public key fingerprint: C4B3 15B4 7154 5281 5100 1C58 C2A5 977B 0022 ✓ "maria_leah" on github: https://gist.github.com/23423 ✓ "maria_leah" on reddit: https://reddit.com/r/Keyba... ✓ "maria_h20" on twitter https://t.co/maria_h20/523554 ✓ admin of mariah20.com via HTTPS: https://mariah20.com/X904F... ✓ ฿ bitcoin 1MPt9BuAVM6YphzyBCNUXkh5dprThwSvbD
So what exactly is it?
Well, Keybase is a website, but it's also an open source command line program. Let's walk through a terminal example, which illustrates what Keybase does. All of this can be embedded into other software, written by anyone.
The keybase command to the left looks up your pal, "maria", whom you know on github and twitter. In her case, you get back her usernames, which you recognize.
> keybase id maria_h20@twitter > keybase id maria_leah@reddit # etc... these will all find her
Note you also could've referred to her directly by her twitter username, as this command shows.
Either way, Keybase acquires maria's public key, and public announcements of her public key. The keybase server tells the keybase client where she tweeted, where she posted her gist, etc., and the client actually checks all of them.
In maria's case, it also provides a bitcoin address, which she signed with her private key. This signature is verified too. So if you want to send her money, this is safe and easy.
keybase pgp encrypt maria -m 'Grab a pint tonight?' -----BEGIN PGP MESSAGE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org hQIMA9IkQTsc+mSQARAAoeIqoS7D+C3aWuymUomVJWU e1FiqMNWJDyTzT4I5cRkiwKWLCLmPlYIO1oLhNl670l tfp+Qof7CJDGIUx02vRydT5coUwt8MtEhJUPDGi3cAG -some-extra-lines-omitted-here :-) 0LUvVNuYCvjR4Rt7fkfeVcSuakEpUfufGnFqow== =4DrQ -----END PGP MESSAGE-----
Satisfied, you may do spy-like things like encrypt a message to maria and paste it anywhere. GPG handles the crypto, using the public key verified above.
Keybase is an open directory -- no API key needed -- so you can request maria's key, get her proofs, and verify her identity in any software. The goal of Keybase is to let any security software be powered by usernames instead of offline key exchanges.
keybase pgp encrypt maria_leah@twitter -m 'Some secret'
Again, you don't need to refer to maria by her Keybase username: you can put her twitter username directly into any keybase command, and the keybase client will confirm the public key is owned by that twitter user. The same goes for reddit, github, and other services.
keybase pgp decrypt -i maria_reply.asc ...YEAH 1 SEC, MINING ALTC0INS BY HAND ✓ signed by maria
Anyway, she replies with enthusiasm, encrypting a reply. She signs it, too, using the flag '-s'
keybase pgp sign -m 'My bitcoin addy: 1NiGHTinBangkoK...' keybase pgp encrypt -s maria -m 'a signed secret msg' keybase pgp verify -i self_contained.asc cat foo.txt | keybase verify sig.asc
Encryption's a pleasure...but what about verifying some source code release or announcement online? Keybase to the rescue; files, messages, streams: all can be signed, encrypted, decrypted, verified, with a keybase username.
Verifying a signature from someone you don't know will summarize all their public accounts and check them for you to make sure the signatures match up.
And have you ever been invited to a key party? Yeah, we neither :-(
# track publicly, similar to following keybase track maria # track locally; do not push to server keybase track --track-local maria
Many keybase calls from above are interactive. For example, when you "encrypt" for maria or "verify" something she signed, it will insist on proving her identity again, so you can review it. Undoubtedly this is annoying, so the keybase client will offer to "track" her.
Think of it like twitter "following," but it checks her proofs and then, if you're happy, it signs a snapshot of those proofs with your private key for portability and non-malleability.
As you move from machine to machine, you can continue to perform crypto actions on "maria", as long as you track her, because the server will provide you with your own signed snapshot of what "maria" is.
# installation brew install keybaseyaourt -S keybase-releasecurl -O https://dist.keybase.io/linux/deb/keybase-latest-amd64.deb && dpkg -i keybase-latest-amd64.debcurl -O https://dist.keybase.io/linux/deb/keybase-latest-i386.deb && dpkg -i keybase-latest-i386.debrpm -ivh https://dist.keybase.io/linux/rpm/keybase-latest-x86_64.rpmrpm -ivh https://dist.keybase.io/linux/rpm/keybase-latest-i386.rpm
keybase version # this should then work! keybase help # this should be helpful! keybase signup # reserve that username
Ok, so how do you get Keybase? If you want to run it from the command line, like these examples, you can install our client (it’s written in Go). Non-programmers, just click "join" in the top right corner of this page to request early access to our beta.
keybase signup
Once you've installed, joining the Keybase service is simple and interactive. If you already have a PGP key, it'll walk you through the upload and proof process.
And if you're new to all this, Keybase will help you generate a PGP key pair.
keybase login # if you have an account keybase prove twitter # generate a tweet keybase prove github # generate a gist keybase pgp [gen|select] # generate or add a PGP public key
That's it. It's really pretty simple. We're not reinventing any cryptography here - the goal is a simple way to look up and trust keys, based on known public identities.
The final commands to the left show some more examples.
Or...you can join and get your username through this website. Which will walk you through the process, too.
Contributors
|
Cécile Boucheron /cecileb |
|
|
Gabriel Handford /gabrielh |
|
|
Jinyang Li /jinyang |
|
|
Chris Coyne /chris |
|
|
Jack O'Connor /oconnor663 |
|
|
Andy Alness /alness |
|
|
Chris Nojima /chrisnojima |
|
|
Caley Ostrander /cbostrander |
|
|
Jeremy Stribling /strib |
|
|
Robert Lord /lord |
|
|
Chris Ball /cjb |
|
|
Frederick Akalin /akalin |
|
|
Caroline Hadilaksono /chadilaksono |
|
|
Patrick Crosby /patrick |
|
|
Marco Munizaga /marcopolo |
|
|
Max Krohn /max |
And what about the website?
Keybase.io is also a Keybase client, however certain crypto actions (signing and decrypting) are limited to users who store client-encrypted copies of their private keys on the server, an optional feature we didn't mention above.
On the website, all crypto is performed in JavaScript, in your browser. Some people have strong feelings about this, for good reason.
Is it free?
- It is.
Welcome to Keybase
Keybase is a directory of public keys and the proofs of who owns them. It is free and open without an API key.
In a nutshell, Keybase lets you get someone's public key and trust it, without meeting in person or trusting a "web of trust."