I was just reading some articles about keybase.io:
And I'm confused about this statement:
I really hope you didn't upload your private key, "client-side crypto" or not!
Assuming that your private key is actually encrypted on the client side, what is the problem with uploading it?
Of course, being paranoid I created a key specifically for use with keybase.io...
Assuming that your private key is actually encrypted on the client side, what is the problem with uploading it?
The private key is usually encrypted (but not necessarily). Anyway, a private key is much stronger than a "normal" passphrase and enable brute force attacks against the private key. Sharing the encrypted private key would actively harm your security.
The encryption of private keys with a passphrase is more to be considered an additional protection against accidental leakage and not meant to be a safe way of sharing it with the public (or any other untrusted entity like keybase.io).
But there's more to it: there is no real use in sharing your private key. All cryptographic operations involving others are based on the fact you only need to share (and should share) the public key. Encryption of messages to you is performed using your public key (and the private key is only used for decryption), signatures issued by your private key are verified using your public key. If everything you want to achieve is sharing your private key amongst your own machines, better choose a way that does not involve non-private channels like "cloud" services. Remember the private key changes very rarely, and putting some effort in offline transmission usually should not be an overly large hassle. Consider using subkeys to make key management easier.
