This time on the show, Shannon and Darren explore Keybase.io - a cross between a social network and a crypto keyserver. All that and more, this time on Hak5.
Keybase is a website, and open source command line program, that allows you to get a public key safely, just by knowing a person's username on a social network.
When signing up your keybase passphrase is never sent to keybase servers, rather it's salted and stretched with s-crypt in the browser. It's currently in alpha so you must get an invite from another Keybase user. When you sign up, you can create your profile via the website or the command line program. You should update your profile with a photo, bio, and a public key. If you don't have a public key you can create one via Keybase. It'll create a 4096 bit key pair. Your public key pair will be created for you, and your encrypted private key will be made available to you as well.
Why is it so cool?
Keybase can match up the keybase user, like Darren, with his true public key, his social network identities, and any public posts about his public key. Once you're satisfied that the person, Darren, is actually the real Darren, you can encrypt a message to him and paste it in your email or wherever. GPG takes care of the encryption, using the verified public key.
What's great is that I don't need to know Darren's username on Keybase to encrypt a message for him. If I know his Twitter username, and he has verified his public key via Twitter and Keybase, I can use @hak5darren to send him an encrypted message. If he has verified his reddit, github, etc, I can use those usernames too.
Verifying your identity on various platforms like Twitter, Github, Reddit, your own site, and Coinbase. How do you get verified? Here's what I did on Twitter: https://keybase.io/shannonmorse/sigs/FxRDWvEK2ZJfw9wJ2ZgVydZapcollBUMPUWV
You can sign, verify, encrypt, and decrypt through Keybase.
You can also "track" people:
Each time you want to encrypt something for Darren, or Verify his signed message, Keybase will need to prove his identity each time. You may see people start "tracking" you on your profile. The more people you have tracking you, the more verifiable your account is.
Think of it like twitter "following," but it checks his proofs and then, if you're happy, it signs a snapshot of those proofs with your private key for portability and non-malleability. This allows you to move from machine to machine and have his information proven along the way, so you don't have to re-prove his identity every time.
Please watch: "Bash Bunny Primer - Hak5 2225"