Passing credentials securely with Keybase

A method to transfer secret data safely with minimal effort

The phrase “bork fork” encrypted with my public key

As a software developer I need a level of access to business critical systems far beyond what normal users require. I need to be able to:

  • Edit the software that runs those systems

This is a privileged position to be, and one that I take extremely seriously. I work at a software agency, which means I and my colleagues build the software of third party companies to help them serve their users. Generally speaking we take over projects that already exist, rather than designing them from the ground up. This means transferring the credentials that access these production systems — the same credentials that give access to critical user data.

These credentials need to be transferred in a way that only the person who is sending them and me, the recipient, are able to read those credentials. It turns out there are few ways to do this:

  • Email isn’t secure by design

However, there’s a pattern I’ve hit on that I quite like: Keybase. It works like this:

  1. Navigate to keybase.io/encrypt#andrewhowdencom

That’s it!

How does it work?

Keybase is built on top of PGP, or “Pretty Good Privacy” is an encryption specification based on public-key cryptography. Without going too far into the details, I have a:

  • Public key: used for encrypting content, and verifying signatures

As the name suggests, the private key is private — specifically, it’s stored on a Yubikey on my keyring. That means only someone who has my keyring and the associated pass code can decrypt the content that is encrypted with the public key.

Traditionally PGP was the domain of “serious computer people”; of Linux nerds, hackers and encryption geeks. However, keybase.io has done some tremendous work making PGP more accessible and usable to the general public. It allows a public chain of trust, endorsements and the signing of various public properties such as Twitter, GitHub etc. Essentially, it provides a way to say “yes, twitter.com/andrewhowdencom is github.com/andrewhowdencom”.

And, most importantly for our purposes, it provides easy ways to encrypt things with the public key.

Is it safe?

Fairly safe. The encryption happens in the browser itself, without querying the server except to fetch the public key. That means although it’s a website, you’re never sending your data to Keybase.

PGP itself is as safe as the user. It can be bespoke and a bit fiddly, but the standard itself is safe enough. It’s still in wide use in the hacker community, and is the defacto standard for reporting security vulnerabilities safety. So long as the important bit is replaced with the -----BEGIN PGP MESSAGE----- , it’s secure in transport.

In terms of my safety, I

  • Keep the private key on a Yubikey

So, it’s safe.

Can I get a keybase?

Yes!

For beginners, there’s a version of Keybase where keybase takes care of all key management, storing the “ultimate” private key and handling the issuing of subkeys etc. Basically, they take care of the nerdy stuff.

For developers, experts or the ambitious it’s better to purchase and use a Yubikey instead. While it’s unlikely that keybase will get compromised, PGP forms the root of a whole series of other sets of trust, and it’s one of the things we should be truly careful with.

In Conclusion

There are times when the need to transmit data that is very sensitive in nature is unavoidable. However PGP and it’s friendlier cousin, Keybase, give us a set of primitives that allow reliable and safe transferring of secret data.

Give it a go!

See https://www.andrewhowden.com/