Ask HN: Does anyone actually use Keybase?

Every other HN profile lists a Keybase public key and a proof, but has anyone actually needed to prove their identity on HN? Does anyone use Keybase for encrypted communication?

59 points | by aportnoy 2011 days ago

48 comments

  • ShakataGaNai 2011 days ago
    I have used Keybase since it first showed up on HN for Comms and Git. Technically I have done the proofs for identity, but no one cares about that.

    The Git usage was really nice. It's fast and secure. While I didn't use it for most projects (because I want them on github/gitlab for various reasons), it was very useful for backing up machine specific configs and history (using a script and mackup). Knowing that it was well encrypted made me not worry about what was being backed up, if there were credentials, etc.

    As for comms, I used the 1:1 chat with a friend for quite a while. While it worked, it's slow. Sending messages is a little slow, sending images is VERY slow. Anytime the app is closed (like constantly on the phone), re-open times were slow (for decryption). Eventually I gave it up and moved those few chats over to Telegram (Because it's secure enough for most conversations).

    • rever 2011 days ago
      Did you consider Signal when you moved to Telegram, if so any particular reason(s)?
      • amdelamar 2011 days ago
        I tried Signal and Telegram. But I prefer Wire instead. Its secure by default, cross-platform, multi-device, and simple enough for Mom & Dad to use.
        • simplify 2011 days ago
          How does that differ from Signal?
          • espadrine 2011 days ago
            No Signal Web app. So, not as cross-platform.
            • simplify 2010 days ago
              Is the desktop app not cross-platform enough? https://signal.org/download/
            • solarkraft 2011 days ago
              Wire & Telegram are both cloud connected, while Apps on the Signal protocol depend on your phone to be functioning and in reach AFAIK (huge annoyance/problem for me).
              • newscracker 2010 days ago
                That's not true about Signal. You may probably be facing some bug that should be reported to the Signal team.

                Telegram is completely cloud based. So all your conversations, except secret chats that are end-to-end encrypted, are stored on Telegram servers in plain text for as long as your account is active. This is why you can get a new device, activate it for your account and get all your conversations back on it from the Telegram servers.

                Wire and Signal work differently. They use their servers as a temporary storage to hold your messages until the recipient comes online and then deliver them. Wire also retains the messages for a few days to allow delivery to multiple devices that a user may be using, with each device possibly coming online at different times. Signal doesn't have to support this because it's tied only to a single device, which is your phone.

      • newscracker 2010 days ago
        Not the GP, but Telegram > Wire > Signal on user experience, features, message delivery speed, etc. There's simply no comparison at all on these aspects.
  • Leace 2011 days ago
    I used it initially but then found out that bare gpg covers most of my needs.

    For example:

    - passwords using pass [0] decrypted with Yubikey, and with Password Store [1] on Android (the same repo, the same Yubikey),

    - FDE with LUKS decrypted on boot with Yubikey [2],

    - encrypted e-mails with Enigmail and K9/OpenKeychain on Android, works with the same Yubikey 4C token! Web Key Directory on own domain for easy e-mail -> key mapping,

    - OpenKeychain also has "linked identities" (verifying social profiles) but at this point I consider it barely useful stamp collection,

    - for E2E instant messages Conversations [3] with OMEMO.

    [0]: https://www.passwordstore.org/

    [1]: https://github.com/zeapo/Android-Password-Store

    [2]: https://github.com/fuhry/initramfs-scencrypt

    [3]: https://conversations.im/

  • chrismatheson 2011 days ago
    I don’t, but I’ve rarely needed to send files etc to other hacker news users.

    I would LOVE it if I could use keybase to send a copy of my passport to companies (for example) which is nessesary for day to day life, and always done in a redicously insecure way. :(

    • chrismatheson 2011 days ago
      To be clear, I 100% support keybase, and if I thought there was a chance in hell of getting some other non-tech person to use it, I would put in the effort.

      I just don’t see myself being able to convince some recruiter, or HR person or something to sign up and install keybase just to get a file from me

    • michaelmior 2011 days ago
      Sounds like what Telegram Passport is trying to do.

      https://telegram.org/blog/passport

      • chrismatheson 2011 days ago
        Its a much bigger stretch to have companies change the underlying method of verification instead of the method of transport though ...
    • ssalazars 2011 days ago
      I've thought about this problem, specially in LATAM countries were gov agencies are still ages behind in terms of security/compliance and sharing these type of documents. There is definitely a need for this.
    • 21 2011 days ago
      I'd be more worried about where they store that passport picture instead of how it gets there.
  • lapinot 2011 days ago
    Keybase is shitty. They had the ambition to somehow build a new generation of keyservers, they built it using technology that could easily be a distributed protocol and then they made it a completely centralized and commercial bs crypto startup. So much waste since keyservers and distributed identity (and reputation, and naming system in general) is a field where everything is still to do. They could have overthrown DNS (machine names) and HTTPS (certified names; any CA-based ssl system) and google contact ("people" names). I'm very salty that they've diverted so much hype in that area for so few results.
  • leviathant 2011 days ago
    I've been using it for encrypted communication for years, but I only provided an HN identity because I was essentially collecting stamps.
  • absorber 2011 days ago
    I considered using it, tried registering but had some issues. Tried reaching out to them but it seems like there is absolutely no way to contact them (other than their twitter, which looks somewhat abandoned).

    This made me pretty suspicious, but especially since https://keybase.io/support is just another user claiming to be Keybase support. That's a huge red flag in my book, more so for a security product.

    I don't know, but for me this didn't really inspire much confidence.

    • lokedhs 2011 days ago
      I've had good luck communicating with them on the public team keybasefriends. They have various channels for different features, but asking on #general is usually a good way to get help, either from someone from Keybase or someone else who knows the answer to the question.
      • absorber 2011 days ago
        Interesting. I guess only being available for help on the app one made is one way to crank up the number of installs.
  • johnnyRose 2010 days ago
    I use KBFS and encrypted Git almost every day.

    I've never needed the identity proofs. The teams/chat features are great but I rarely use those either. Maybe when adoption increases, but until then I'm loving my free 250 GB cloud drive and unlimited Git repos up to 100 GB.

  • Nelkins 2011 days ago
    I use it solely for hacker cred.
  • ecesena 2011 days ago
    Prove identity: no

    Encrypted communication (and files): yes, we use it for Solo, and we also have a public team https://keybase.io/team/solokeys.public

  • eganist 2011 days ago
    Yes, mostly as a means of verifying identity across accounts.

    I'd probably pay a few bucks a year (thinking 20) for the base identity service, if we're being frank. Even if the only separation between a free tier and a paid tier is e.g. more service integrations and an uptime SLA... sure, why not?

  • jachin 2011 days ago
    I use it. I've been impressed with all the improvements they've made over the years. I've struggled to get other people to use it though, but I have had some success and when I've talked other people into signing up it has worked well.
  • hprotagonist 2011 days ago
    I use keybase almost exclusively as an encrypted git tool. My personal notebooks live there.
  • cascom 2011 days ago
    It's hard enough to get people to use signal...
  • t0mbstone 2011 days ago
    When I first heard about it, I signed up for it and set it up on all of my computers and devices.

    I also evangelized it pretty heavily and managed to get about 10 other people to use it.

    Unfortunately, I ran into some pretty major issues with the desktop clients. They seemed to be coded pretty poorly, eating up massive amounts of CPU and/or RAM, and sometimes even causing my computer to freeze.

    In practice, there also didn't seem to be much point to encrypting conversations if there was no password required to actually see them (if someone got a hold of my computer). And (at the time) there was no way to delete a message.

    Due to these issues, I ended up installing it.

    I'm curious if things have gotten any better since then?

    • baumandm 2009 days ago
      Editing/deleting messages is now possible, along with options for automatically expiring messages.

      Not sure if the desktop clients have improved, but I haven't had any issues in the last year or so.

  • Nadya 2011 days ago
    I've used it in several communities to prove identity and statements in cases where I both have either authority or a need to be trusted, since I choose to remain pseudonymous.

    It's easier for people to grasp/verify than the alternative ("pure PGP"). They go to /verify, paste in my message, and make sure it confirms as me. Keybase being compromised is outside the scope of the threat model - the threat model is mostly "impostors pretending to be me trying to get you to download potentially harmful files". People have no reason to know who I am but they do have a need to verify I am who I say I am.

  • nautist 2011 days ago
    I host my website on keybase and use git and messaging to do freelance jobs. If anyone's interested here it is https://turbocafe.keybase.pub
  • sargun 2011 days ago
    I use it, in the sense my public key is on there, and I follow a bunch of people on there, but since they invented their own crypto model, it's just a place to store public keys.
  • ScarZy 2011 days ago
    I use it the git aspects of it heavily for projects where I get lazy and should be using proper secret storage (for example Ansible playbooks with secrets not secure...). This is far from ideal, but makes personal development a great experience.

    Secondly to that, we heavily considered and trialed it a work to unseal Hashicorp Vault. You can add a single identity that is able to unseal, and having that person verify in the keybase-esque method is a great idea.

  • INTPenis 2011 days ago
    Maybe if I had the need to prove my identity but I'm just an anonymous coward.

    I do like keybase but practically in my day-to-day life GPG ends up filling all my needs.

  • thraxil 2011 days ago
    We use it as a quick and dirty shared secret storage at work (when you need to pass someone an API key or stash some service credentials somewhere). It works, and keeps those things from sitting around in plaintext, but I've been trying to move everything that's stored there to something like Hashicorp Vault or GCP/AWS KMS so we have a proper audit trail and key rotation.
  • apatil 2011 days ago
    I've started using kbfs for personal notes and encrypted git for financial planning code.

    We're also trying Keybase out as a family chat channel. I really like the CLI interface and the integration with kbfs, and of course the e2e encryption. We're probably going to stick with Slack for now, though, mainly because it runs on Chromebooks.

  • directionless 2011 days ago
    It has mostly replaced gpg in my usage. It's not common, but it's present. HashiCorp Vault has a nice integration.
  • crgwbr 2011 days ago
    I’ve been using the encrypted git feature to backup dot files and other bits of system config. At work, my dev team uses the FS and chat features for sharing sending sensitive files we don’t want sitting around on email, google drive, etc. Overall I think it’s a pretty great product and I hope it stays around for a while.
  • etu 2011 days ago
    When it was new I was excited about it and it pushed me over the edge to actually starting my usage of GPG and setting it up properly with smartcards etc.

    Then I started to go to keysignings etc and started using the keyserver infrastructure etc.

    And then it took a while and I realized that I never used keybase and removed my account.

  • egwynn 2011 days ago
    I’ve had others use their browser-based encryption form to send me sensitive data before — that’s pretty handy.
  • pixelperfect 2011 days ago
    Right now I use it for encrypted file storage and private git repositories that I don't want anyone looking at. I don't have 100% trust in the security of the platform, but I prefer it to Dropbox or Google Drive where the probability of someone snooping around my files seems higher.
    • lokedhs 2011 days ago
      At least the Keybase code is open, so even if you can't personally validate that it's secure, someone else can.

      Neither Dropbox nor Google encrypts and keeps the keys client side, so not trusting them is probably the right thing to do (also Dropbox has been misleading in the past about their security, so that's another reason one should be careful).

  • dfischer 2011 days ago
    I use it for private repos and convos. I want to use it a lot more. It just makes sense. Unfortunately not a lot of people I know use it.

    Add me if you care to make a pen pal. https://keybase.io/dfischer

  • james_pm 2011 days ago
    Our team uses it to share sensitive docs (logs, user details, api keys etc.) and occasionally as a secure chat channel (i.e. if we want to communicate off work Slack).

    I have a copy of some important docs (taxes, etc.) in my private KBFS.

  • castillar76 2011 days ago
    I'm currently using it for git, principally for storing personal dotfiles (.ssh/config, etc.) that I need on a couple workstations. It looks neat, but it suffers from a mindshare problem as a social network.
  • KMuncie 2011 days ago
    Yes, I use its git feature for certain projects, and have used it for chat for a while. I have found if I come across a developer who has a profile its the easiest way to get in touch with them.
  • delcaran 2011 days ago
    I would use it if they provide a way to "lock" local installation or to make it portable: I want to use it in my office PC, which can be accessed by lots of people...
  • qertoip 2011 days ago
    Yes, it's critical to bind pubkey to identity: https://keybase.io/qertoip
  • vaer-k 2011 days ago
    I've reached out to people with it, and it turns out that they actually respond! Who'd've thunk? It's nice for encrypted cloud storage too.
  • quickthrower2 2011 days ago
    A Keybase key could be used to signal you are a 'real hacker'. A bit like using Vim, Emacs or butterflies could be used to that end.
  • TranquilMarmot 2011 days ago
    I use it for a few of my personal Git repos, but that's about it. Some file storage but nothing too huge or important.
  • gelatocar 2011 days ago
    The Keybase filesystem docs still contain the text:

    "At the time of this document, there are very few people using this system. We're just getting started testing. Note that we could, hypothetically, lose your data at any time. Or push a bug that makes you throw away your private keys. Ugh, burn."

    And considering that kbfs is one of the more mature parts of Keybase, it has never inspired confidence in me that any of it is really ready for serious use.

  • thebiglebrewski 2011 days ago
    I used it to sign my "will"...reading this reminds me I gotta get a real lawyer to take a look at that!
  • ngonzal 2011 days ago
    I use it for git repo management on some of my home things. Have not used it for much outside of that.
  • gip 2011 days ago
    Few engineers at my start-up were using keybase to share credentials between them, as well as between company and/or personal laptops. A lot of information was exposed to the wild internet (machine names, developer names, connection between them,...) posing a clear security risk. My experience is that most engineers do not understand how to safely use keybase at that point.
    • sargun 2011 days ago
      How is that information a security problem greater than say LinkedIn?

      Also, I'm curious where machine names were being exposed in Keybase?

      • insomniacity 2011 days ago
        Machine names, example from a Keybase founder: https://keybase.io/chris/devices
        • lokedhs 2011 days ago
          You choose those names when you add the device. It can be anything.

          That said, it would probably be good if they added a note saying that the device name you choose is public, which is not really clear in the current UI.

  • y4mi 2011 days ago
    specifically to prove my identity? no.

    i used the filestorage/filesharing earlier and was happy about the git repository support though.

    there were however very few of us, and we all dropped it when they jumped on the crypto currency wagon.

  • stock_toaster 2011 days ago
    I deleted my account after not using it for a long time for anything.
  • DanielBMarkham 2011 days ago
    Sure thing. I do.

    I keep asking my friends to join up. Let's try the team feature!

    So far, no luck.

  • joeblau 2011 days ago
    I created an account last week, but I haven't used it yet.
  • donkey-hotei 2011 days ago
    My current team and I use it to share files for the most part.
  • mnem 2011 days ago
    Frequently for chat and file sharing.
  • coralreef 2011 days ago
    For cloud storage backups
  • rman666 2011 days ago
    Why would anyone tell you if they did?
    • aportnoy 2011 days ago
      Why would anyone want to hide that? Not an expert in security, maybe I don't have the mental model.
      • insomniacity 2011 days ago
        It's just a way of minimising your footprint. If you google me, and can't find what services I use, it makes it that much harder to try and find a foothold into hacking something, or building up a profile.
        • Nadya 2011 days ago
          Then you wouldn't be using Keybase if that was part of your threat model - since a significant point of using it is to tie together and prove identities across some popular sites on the net.

          See: https://keybase.io/nadya

        • icedchai 2011 days ago
          This is why I use a different username on each site. Some people use the same username on HN, github, reddit, gmail, etc. (and then they complain about internet privacy and being tracked.)