Get a public key, safely, starting just with someone's social media username(s).
From there, unbounded potential!
> keybase id maria pgp: C4B3 15B4 7154 5281 5100 1C58 C2A5 977B 0022 github: maria_leah ✓ https://gist.github.com/23423 reddit: maria_leah ✓ https://reddit.com/r/Keyba... twitter: maria_h20 ✓ https://t.co/maria_h20/523554 web: mariah20.com ✓ https://mariah20.com/X904F... ฿ bitcoin 1MPt9BuAVM6YphzyBCNUXkh5dprThwSvbD
Keybase is a website, but it's also an open source command line program. Let's walk through a terminal example, which illustrates what Keybase does. All of this can be embedded into other software, written by anyone.
The keybase command to the left looks up your pal, "maria", whom you know on github and twitter. In her case, you get back her usernames, which you recognize.
> keybase id twitter://maria_h20 > keybase id reddit://maria_leah # etc... these will all find her
Note you also could've referred to her directly by her twitter username, as this command shows.
Either way, Keybase acquires maria's public key, and public announcements of her public key. The keybase server tells the keybase client where she tweeted, where she posted her gist, etc., and the client actually checks all of them.
In maria's case, it also provides a bitcoin address, which she signed with her private key. This signature is verified too. So if you want to send her money, this is safe and easy.
keybase encrypt maria -m 'Grab a pint tonight?' -----BEGIN PGP MESSAGE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org hQIMA9IkQTsc+mSQARAAoeIqoS7D+C3aWuymUomVJWU e1FiqMNWJDyTzT4I5cRkiwKWLCLmPlYIO1oLhNl670l tfp+Qof7CJDGIUx02vRydT5coUwt8MtEhJUPDGi3cAG -some-extra-lines-omitted-here :-) 0LUvVNuYCvjR4Rt7fkfeVcSuakEpUfufGnFqow== =4DrQ -----END PGP MESSAGE-----
Satisfied, you may do spy-like things like encrypt a message to maria and paste it anywhere. GPG handles the crypto, using the public key verified above.
Keybase is an open directory -- no API key needed -- so you can request maria's key, get her proofs, and verify her identity in any software. The goal of Keybase is to let any security software be powered by usernames instead of offline key exchanges.
keybase encrypt twitter://maria_leah -m 'Some secret'
Again, you don't need to refer to maria by her Keybase username: you can put her twitter username directly into any keybase command, and the keybase client will confirm the public key is owned by that twitter user. The same goes for reddit, github, and other services.
keybase decrypt maria_reply.asc ...YEAH 1 SEC, MINING ALTC0INS BY HAND ✓ signed by maria
Anyway, she replies with enthusiasm, encrypting a reply. She signs it, too, using the flag '-s'
keybase sign -m 'My bitcoin addy: 1NiGHTinBangkoK...' keybase encrypt -s maria -m 'a signed secret msg' keybase verify self_contained.asc cat foo.txt | keybase verify sig.asc
Encryption's a pleasure...but what about verifying some source code release or announcement online? Keybase to the rescue; files, messages, streams: all can be signed, encrypted, decrypted, verified, with a keybase username.
Verifying a signature from someone you don't know will summarize all their public accounts and check them for you to make sure the signatures match up.
And have you ever been invited to a key party? Yeah, we neither :-(
# track publicly, similar to following keybase track maria # track locally; do not push to server keybase track --track-local maria
Many keybase calls from above are interactive. For example, when you "encrypt" for maria or "verify" something she signed, it will insist on proving her identity again, so you can review it. Undoubtedly this is annoying, so the keybase client will offer to "track" her.
Think of it like twitter "following," but it checks her proofs and then, if you're happy, it signs a snapshot of those proofs with your private key for portability and non-malleability.
As you move from machine to machine, you can continue to perform crypto actions on "maria", as long as you track her, because the server will provide you with your own signed snapshot of what "maria" is.
# installation walkthrough npm install -g keybase-installer keybase-installer # this gets the latest version keybase version # this should then work! keybase help # this should be helpful! keybase signup # reserve that username
Ok, so how do you install Keybase? Well, everything mentioned thus far works in the browser, too! For non-programmers. Just click "join" in the top right corner of this page, to request early access to our beta.
If you want to run it from the command line, like these examples, you can do that too. Our first implementation is in Node, and once you have the keybase installer, every update will be checked against our public code-signing key.
Prerequisites: Node.js and GPG ( | )
Once you've installed, joining the Keybase service is simple and interactive. If you already have a PGP key, it'll walk you through the upload and proof process.
And if you're new to all this, Keybase will help you generate a PGP key pair.
keybase login # if you have an account keybase push # announce your public key keybase prove twitter # generate a tweet keybase prove github # generate a gist
That's it. It's really pretty simple. We're not reinventing any cryptography here - the goal is a simple way to look up and trust keys, based on known public identities.
The final commands to the left show some more examples.
Or...you can join and get your username through this website. Which will walk you through the process, too.
Notable New Members
And what about the website?
Keybase.io is also a Keybase client, however certain crypto actions (signing and decrypting) are limited to users who store client-encrypted copies of their private keys on the server, an optional feature we didn't mention above.
Is it free?
- It is.
Welcome to Keybase
Keybase is a directory of public keys and the proofs of who owns them. It is free and open without an API key.
In a nutshell, Keybase lets you get someone's public key and trust it, without meeting in person or trusting a "web of trust."