Advertisement
  1. Code
  2. Security
Code

It's Time to Encrypt Your Email: Using Keybase

by
Difficulty:BeginnerLength:MediumLanguages:
This post is part of a series called It's Time To Encrypt Your Email.
It's Time to Encrypt Your Email: Using GPGTools for OS X
It's Time to Encrypt Your Email: Using the Browser
Keybase

This is the next tutorial in a series focusing on encrypting your email. In the first tutorial, we introduced the general concepts of encryption and how they can be used to secure and authenticate our emails. In the second tutorial, I guided you through installing encryption software on your computer and getting started sending your first messages; we used GPGTools for Mac OS X, an integration of open-source GnuPG

In this tutorial, I'll guide you through using a new service which strengthens the Web of Trust, creating a sophisticated audit trail of authentication for the validity of public keys.

In addition to reading the earlier episodes, you may want to check out the Electronic Frontier Foundation's The Surveillance Self-Defense Guide and their explainer on Key Verification

In upcoming episodes, we'll explore encrypting browser-based email, and then we'll switch topics a bit to encrypting your Internet activities with the use of a VPN. Finally, as part of the series on managing your digital assets after your death, we'll use what we've learned to create a secure cache of important information for your descendants in case of emergency.

Just a reminder, I regularly participate in the discussions below. If you have a question or topic suggestion, please post a comment below. You can also follow me on Twitter @reifman or email me directly.

What Is Keybase?

From the beginning, PGP's effectiveness is limited by the Web of Trust. How sure are you that the person who sent you a message actually holds the private key that signed it? Or how certain are you that the message you encrypted with someone's public key is actually not an impostor's? Depending on how important the confidentiality and validity of your messages are, these questions can literally mean life or death.

Keybase is an attempt to build a web of trust on our social accounts and the websites we host. It's a free service built by two of the co-founders of OKCupid, Chris Coyne and Max Krohn.

The basic idea of Keybase is that if you trust that I, Jeff Reifman, control my Twitter account, GitHub account and my personal and consulting websites, then you can trust the public key that has been authenticated by postings to those accounts and websites. In fact, if you click on the preceding links, they are postings to all of those places (or DNS entries) that help to authenticate my public key hosted with Keybase.

Keybase actually spells out its implementation of the Web of Trust for each. Here's an example of why you should trust my Keybase public key given a DNS TXT record for my website, JeffReifman.com.

Essentially, I used my private key to sign my public key fingerprint.

Keybase The Crypto Walkthrough Part One

Then, Keybase created a hash of this signature and asked me to post a DNS TXT record for JeffReifman.com.

Keybase The Crypto Walkthrough Part Two

You can verify the DNS record with the lookup tool of your choice.

Keybase also asked me to tweet a similar hash to my @reifman Twitter account.

Keybase Verification Tweet for Jeff Reifman reifman twitter account

If my websites or Twitter account are hacked or compromised, I can revoke these verifications through the Keybase site. Similarly, other Keybase users will discover this when they try to encrypt messages for me and notify Keybase.

If you're a whistleblower wishing to send me confidential documents—perhaps you work at the Washington State Department of Revenue and feel compelled to email me Microsoft's actual state royalty tax payments for 1991 to 2012—you could use Tor to create an anonymous email address and encrypt a message to me using the public key validated on the Keybase profile for Jeff Reifman:

The Keybase profile for Jeff Reifman and his public PGP key

Of course, you would never do that because it could be considered illegal and embarrassing to Microsoft, unless you were a whistleblower.

Getting Started With Keybase

Keybase Graphics credit Keybaseio website

For now, Keybase is mostly invitation only, but by the time this episode is published, it's likely been made available to the public. Currently, there's a signup queue for the beta release:

Keybase Join the Private Beta

Creating a Key Pair

Once you've signed up, you need to import or generate a public / private key pair and verify your social accounts and websites.

Keybase My new user profile

First, we add a public key, so I chose I need a public key:

Keybase Add a public key for Jeff Reifman

Then, Keybase uses math, complicated math, to generate me a public / private key pair:

Keybase Getting a key pair for Jeff Reifman

See, lots of math:

Keybase Building a key pair for Jeff Reifman with MATH

When it's done, it offers to host your private key as well. Depending on the threat level with which you live, you may be comfortable with this, or you may wish to export your private key to a USB drive.

Keybase Jeff Reifman Key Pair

Here's my Keybase profile now with my public key fingerprint. Anyone wishing to send me an encrypted message can get my public key at https://keybase.io/jeffreifman:

Keybase My Keybase Profile with my public key fingerprint

But of course, they'd have little reason to trust it's me. We need to work through Keybase to verify our public key with my social accounts and websites.

Verifying Your Identity With Keybase

Let's begin with my Twitter account.

Using Your Twitter Account

Keybase will ask for my Twitter account name. I'm @reifman.

Keybase Prove Your Twitter Identity

Then, Keybase will use your passphrase to sign your identity for Twitter:

Keybase Prove Your Twitter Identity in the Browser

When ready, it will ask you to tweet this signed hash:

Keybase Publish this tweet

Here's what the tweet looks like on your account:

Keybase Proof Tweet

I make it easy for people to find my public key by linking to my keybase profile on my Twitter profile.

Linking to my Keybase profile from my Jeff Reifman Twitter account

Once Keybase verifies I've tweeted, it shows this verification on my profile:

Keybase My Expanded Keybase Profile for Jeff Reifman

Using GitHub

Now, let's verify my GitHub account. Keybase will ask you to post a file as a GitHub Gist:

Keybase Posting a Gist

Here's the proof they ask you to post (yours would be different):

When verified, my GitHub credential will be posted on my Keybase profile:

Keybase My Expanded Profile with Github

Using Your Website(s)

Now, let's verify my Jeff Reifman website:

Keybase Website proof options

You can either post a text file or set a DNS TXT record. I chose the latter. Keybase will ask for your domain name:

Keybase Prove Your Domain

Then, it will ask you to post this DNS TXT record:

Keybase Prove Your Domain via DNS TXT Record

It may take a few hours to propagate and get verified by Keybase:

Keybase Waiting for DNS Record Evidence

Using these authentication trails, people who find my public key on Keybase can be relatively sure they are encrypting messages for the correct Jeff Reifman — or all of his accounts have been hacked and neither he nor anyone else has noticed (unlikely).

Keybase Tracking down Jeff Reifmans public key authority - credit Keybaseio website

Here's what my completely verified Keybase profile looks like:

Keybase Completed Keybase profile for Jeff Reifman

Sending an Encrypted Message

Keybase also makes it easy to send encrypted messages to other Keybase users. I sent a note to Chris Coyne to let him know I was writing this tutorial.

Keybase Encrypt a message

I enter my passphrase and click Sign & encrypt. It's easy.

Keybase is also a sophisticated command line application. You can also use it to encrypt and decrypt messages. In fact, there are advantages to doing this. Your client can perform verification checks that aren't as reliable as using the website (which could be compromised in a variety of ways without you realizing it).

Keybase The Command Line

Once encrypted, Keybase will provide me plain text which I can paste in an email to Chris:

Keybase Encrypted Message

If someone other than Chris receives it, all they'll see is gibberish:

Keybase Robot with encrypted message - credit Keybaseio website

Decrypting a Message

Similarly, to decrypt a message, I can paste a PGP message from anywhere into Keybase, enter my passphrase and click Decrypt:

Keybase Decrypt a message

Inviting People You Know

Keybase becomes more useful as more of your contacts use it. Fortunately, inviting friends and colleagues to Keybase is easy:

Keybase Invite your friends into the web of trust

You can even reclaim invitations if people don't use them.

What's Next?

Keybase takes a big step forward in making the sending and receiving of encrypted messages easier for people. I'm excited to see how the service continues to evolve. 

What are you waiting for? Go invite some friends to join you at Keybase and start emailing more securely with encryption. It's time to encrypt your email.

Please feel free to post your questions and comments below. You can also reach me on Twitter @reifman or email me directly. You can find my other tutorials by browsing my Tuts+ instructor page

Related Links

Advertisement
Advertisement
Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.