13

I've created a Keybase account and imported the "easy" identities (e.g. Twitter, Reddit). Now it's time to get my PGP key there.

I had expected instructions to PGP-sign a specific text from the Keybase (Windows) app and re-upload that signed data (base64 or some such). Instead, what I find is this:

# import a key from gpg's key chain
keybase pgp select
#import from stdin and send the public half to Keybase
cat privkey.asc | keybase pgp import
# for more options
keybase pgp help

At first, I thought that they were 3 instructions to be followed in order, but then I realized they were 3 different main things you could do.

Can someone explain in basic terms (I know the basics of PGP and public/private key pairs) what the first two options entail behind the scenes?

Specific questions I'd have:

  • Does either option 1 or 2 give permanent access for the Keybase app to my PGP private key? Or is it just one time to sign a proof that the public key is mine?
  • Does option 2 mean you need to have your private key in a file at your current location? Is the file typically protected with your passphrase?
  • Any other specific risks or things I should be aware of? I want to make very sure my PGP private key remains my own.

I can speculate to the answers myself, but since it's important stuff I'd rather ask, to be sure.

Luc
  • 31,973
  • 8
  • 71
  • 135
Jeroen
  • 839
  • 9
  • 15

2 Answers2

5

It sounds like you're looking for any one of these three:

keybase pgp import -i pubkey.txt
cat pubkey.txt | keybase pgp import
keybase pgp select --no-import

That will import the public half of your key, advertise it on keybase, but prevent them from having access to the private key.

On the other hand, 

cat privkey.asc | keybase pgp import

will send a copy of your private key to the keybase servers, which will make it available for use with keybase pgp commands. And,

keybase pgp select

will look at your GnuPG keyring and allow you to select an existing private key to import to keybase.

When in doubt

keybase pgp <option> help

Update:

The option to upload a public key and withhold the private half from keybase doesn't seem to be working. The first set of options listed above now all return

  • ERROR No secret key available
Diagon
  • 233
  • 1
  • 7
user8675309
  • 525
  • 3
  • 13
  • 3
    It doesn't seem like the 1st option "import and advertise your public key but prevent them from having access to the private key" is available anymore. And I'm not comfortable giving keybase access to my private gpg key. – Mike Lippert Oct 12 '18 at 20:57
  • keybase pgp select -h shows " keybase pgp select - Select a key as your own and register the public half with the server". If you pipe the public key to keybase pgp import they have no way of obtaining the private half. What led you to believe that option isn't available anymore? – user8675309 Oct 12 '18 at 21:06
  • 2
    I just tried it and got the following: `gpg2 --armor --export me@actualdomain.com | keybase pgp import ▶ ERROR No secret key available` – Mike Lippert Oct 12 '18 at 21:14
  • Just generated a new key to try it with, I'm getting the same results. Hopefully it's just a bug, I also wouldn't upload my private key. – user8675309 Oct 12 '18 at 21:31
  • Uploading only the public key seems to have broken chat for me. – Louis Waweru Aug 23 '21 at 19:59
1

Just came across this issue myself, and found that the correct args to use aren't shown in the standard gpg --help text:

⇒  gpg --help | grep export
     --export                export keys
     --send-keys             export keys to a keyserver

But you can see the (very limited) help text for it here:

export-secret-keys

Name

export-secret-keys — export secret keys

export-secret-keys name ...

Description

This is the same as the command export, but private keys are exported instead of public keys. This is normally not very useful and is a security risk since private keys are left unprotected.

So to export your secret keys, and import them into your local keybase keyring:

gpg --armor --export-secret-keys MYSECRETKEYID | keybase pgp import`

To also automatically push/sync your secret to keybase (so you can then use it on other linked devices) you can use --push-secret:

⇒  keybase pgp import --help

..snip..

OPTIONS:
   -i, --infile     Specify an infile (stdin by default).
   --push-secret    Push an encrypted copy of the secret key to the server.

The full command to do this automatically would then end up as:

gpg --armor --export-secret-keys MYSECRETKEYID | keybase pgp import --push-secret`
Glenn 'devalias' Grant
  • 119
  • 3
  • 3
    I don't think this is what we want, we need to **keep** keybase from accessing any of our private keys. – NH. Dec 13 '19 at 20:45
  • That is fair.. I think I skipped through that part of the first question and just sort of inferred context from the other answers (as that was what my personal need was). With regards to the "I want to make very sure my PGP private key remains my own" part though, if you add it to keybase as above but don't allow it to be pushed to keybase servers, that allows you to use it for all keybase things, and to ensure it remains your own. So that aspect answers the original question/need. – Glenn 'devalias' Grant Dec 18 '19 at 20:36