2

Could you please describes to me the security benefits of encrypting and decrypting messages using Keybase.io.

Do you think that using such thing will be secure, where the encrypted message redirects through Keybase server to the reciever.

Jeremy
  • 1
  • 1
  • 1
  • 11
user3011084
  • 529
  • 1
  • 3
  • 8
  • Is this question asking "What are the security benefits of encryption?" or is it asking "Is public/private key encryption, with public key distribution supported by keybase.io, considered secure?" – Jesse K Oct 22 '15 at 14:47

1 Answers1

4

The encrypted messages doesn't have to go through their servers. Keybase just provides a means of getting a public key for a known username on x platform (for example, I have my twitter name and my github verified on keybase, people can use keybase to verify that my twitter is actually mine).

Keybase will provide the public key, which can be used to encrypt a message. Encryption can happen via the command line, or the website. The encrypted message can then be sent however you want.

From their website:

Keybase.io is also a Keybase client, however certain crypto actions (signing and decrypting) are limited to users who store client-encrypted copies of their private keys on the server, an optional feature we didn't mention above.

On the website, all crypto is performed in JavaScript, in your browser. Some people have strong feelings about this, for good reason

So, keybase never sees your encrypted message. If you don't want to store your private key on keybase, you don't have to. You can handle the decryption yourself or let keybase store your private key.

Could you please describes to me the security benefits of encrypting and decrypting messages using Keybase.io.

You get to verify a users identity, so you know that the person claiming to be me on twitter is actually me (as with github etc).Encryption is easy, as keybase provides the verified public key for you.

Do you think that using such thing will be secure

If you don't store your private key on the server, yes. Unless someone hacks your twitter/github etc. and changes your key proof, you're fine. If you do choose to store your private key on the server, you take the chance of keybase being hacked. Your call on that one.

where the encrypted message redirects through Keybase server to the reciever.

It doesn't. Encryption/decryption happens in JS in your browser. You can send the encrypted message however you want.

Community
  • 1
Jay
  • 1,565
  • 1
  • 10
  • 12
  • 1
    In addition, OpenKeychain on Android can be used to hold the keypair from keybase.io, allowing you to sign and decrypt on your phone, and the app also has keybase integration for searching for public keys. – Natanael Oct 24 '15 at 11:16
  • Link to [OpenKeyChain](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain). – Dan Atkinson Dec 28 '16 at 23:24