4

Keybase's decryption page says "you must host your private key in Keybase's encrypted key store." This really rubs me the wrong way. I was under the impression that your private key should not leave your device, ever (Keybase even lets you have one private key for each non-web device).

But perhaps I'm wrong. Maybe all that is needed is to secure the host as in Protecting a PGP private keyring on host?

Is Keybase's methodology secure? I'm not seeing any documentation on their site of how they protect these keys (especially from themselves).

NH.
  • 1,004
  • 1
  • 9
  • 20

1 Answers1

7

To be fair, the page states in full (emphasis mine):

To decrypt in the browser, you must be logged in, and you must host your private key in Keybase's encrypted key store.

Because browser clients lack the ability to store and access a local key, Keybase provides a server-side method. Yes, this method is less secure than their thick clients, where the private key never leaves the device.

Security-conscious users will want to avoid the browser client (and anybody using Keybase should be security-conscious, so I don't personally even understand why there is a browser client, but there you go...)

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • not everyone using Keybase will know anything about security. That is entirely the point of the product: they are trying to cater to your average Joe. Any other features of Keybase that your average Joe should be informed are unsafe for the uninitiated like him to use? – NH. Oct 14 '19 at 23:59
  • I accepted your answer, but it looks like this is not the only problem with Keybase. [They do not allow only uploading public keys](https://security.stackexchange.com/q/175775/149193) – NH. Dec 13 '19 at 20:46
  • @NH. That thread seems contrary to the manual. If you read `keybase pgp help import` it clearly states that the private key goes to the server 'If (and only if) the "--push-secret" flag is specified''; default behavior is not to share with server but to keep it in the users' encrypted files. – gowenfawr Dec 15 '19 at 16:57
  • Thanks, I'm hoping it is outdated and things are safer now. – NH. Dec 16 '19 at 19:13