It's Time to Encrypt Your Email: Using Keybase

This is the next tutorial in a series focusing on encrypting your email. In the first tutorial, we introduced the general concepts of encryption and how they can be used to secure and authenticate our emails. In the second tutorial, I guided you through installing encryption software on your computer and getting started sending your first messages; we used GPGTools for Mac OS X, an integration of open-source GnuPG. 

In this tutorial, I'll guide you through using a new service which strengthens the Web of Trust, creating a sophisticated audit trail of authentication for the validity of public keys.

In addition to reading the earlier episodes, you may want to check out the Electronic Frontier Foundation's The Surveillance Self-Defense Guide and their explainer on Key Verification. 

In upcoming episodes, we'll explore encrypting browser-based email, and then we'll switch topics a bit to encrypting your Internet activities with the use of a VPN. Finally, as part of the series on managing your digital assets after your death, we'll use what we've learned to create a secure cache of important information for your descendants in case of emergency.

Just a reminder, I regularly participate in the discussions below. If you have a question or topic suggestion, please post a comment below. You can also follow me on Twitter @reifman or email me directly.

What Is Keybase?

From the beginning, PGP's effectiveness is limited by the Web of Trust. How sure are you that the person who sent you a message actually holds the private key that signed it? Or how certain are you that the message you encrypted with someone's public key is actually not an impostor's? Depending on how important the confidentiality and validity of your messages are, these questions can literally mean life or death.

Keybase is an attempt to build a web of trust on our social accounts and the websites we host. It's a free service built by two of the co-founders of OKCupid, Chris Coyne and Max Krohn.

The basic idea of Keybase is that if you trust that I, Jeff Reifman, control my Twitter account, GitHub account and my personal and consulting websites, then you can trust the public key that has been authenticated by postings to those accounts and websites. In fact, if you click on the preceding links, they are postings to all of those places (or DNS entries) that help to authenticate my public key hosted with Keybase.

Keybase actually spells out its implementation of the Web of Trust for each. Here's an example of why you should trust my Keybase public key given a DNS TXT record for my website, JeffReifman.com.

Essentially, I used my private key to sign my public key fingerprint.

Then, Keybase created a hash of this signature and asked me to post a DNS TXT record for JeffReifman.com.

You can verify the DNS record with the lookup tool of your choice.

Keybase also asked me to tweet a similar hash to my @reifman Twitter account.

If my websites or Twitter account are hacked or compromised, I can revoke these verifications through the Keybase site. Similarly, other Keybase users will discover this when they try to encrypt messages for me and notify Keybase.

If you're a whistleblower wishing to send me confidential documents—perhaps you work at the Washington State Department of Revenue and feel compelled to email me Microsoft's actual state royalty tax payments for 1991 to 2012—you could use Tor to create an anonymous email address and encrypt a message to me using the public key validated on the Keybase profile for Jeff Reifman:

Of course, you would never do that because it could be considered illegal and embarrassing to Microsoft, unless you were a whistleblower.

Getting Started With Keybase

For now, Keybase is mostly invitation only, but by the time this episode is published, it's likely been made available to the public. Currently, there's a signup queue for the beta release:

Creating a Key Pair

Once you've signed up, you need to import or generate a public / private key pair and verify your social accounts and websites.

First, we add a public key, so I chose I need a public key:

Then, Keybase uses math, complicated math, to generate me a public / private key pair:

See, lots of math:

When it's done, it offers to host your private key as well. Depending on the threat level with which you live, you may be comfortable with this, or you may wish to export your private key to a USB drive.

Here's my Keybase profile now with my public key fingerprint. Anyone wishing to send me an encrypted message can get my public key at https://keybase.io/jeffreifman:

But of course, they'd have little reason to trust it's me. We need to work through Keybase to verify our public key with my social accounts and websites.

Verifying Your Identity With Keybase

Let's begin with my Twitter account.

Using Your Twitter Account

Keybase will ask for my Twitter account name. I'm @reifman.

Then, Keybase will use your passphrase to sign your identity for Twitter:

When ready, it will ask you to tweet this signed hash:

Here's what the tweet looks like on your account:

I make it easy for people to find my public key by linking to my keybase profile on my Twitter profile.

Once Keybase verifies I've tweeted, it shows this verification on my profile:

Using GitHub

Now, let's verify my GitHub account. Keybase will ask you to post a file as a GitHub Gist:

Here's the proof they ask you to post (yours would be different):

### Keybase proof

I hereby claim:

  * I am newscloud on github.
  * I am jeffreifman (https://keybase.io/jeffreifman) on keybase.
  * I have a public key whose fingerprint is 4D3E 6456 A60E 3C14 D960  3FE2 6011 E858 FC97 F62D

To claim this, I am signing this object:

```json
{
    "body": {
        "key": {
            "fingerprint": "4d3e6456a60e3c14d9603fe26011e858fc97f62d",
            "host": "keybase.io",
            "key_id": "6011e858fc97f62d",
            "kid": "0101c331795c39328790d7bf00d8fbb08bb575da025831c6d02d57d7f0d2c68b67a00a",
            "uid": "1aac78a885b0e7a1b38253c5a1a3d919",
            "username": "jeffreifman"
        },
        "service": {
            "name": "github",
            "username": "newscloud"
        },
        "type": "web_service_binding",
        "version": 1
    },
    "ctime": 1427496926,
    "expire_in": 157680000,
    "prev": "95bbd6feb2e1ef514b412de5c24d11ce13134399a66344d5a39def3e69ef7341",
    "seqno": 3,
    "tag": "signature"
}
```

with the key [4D3E 6456 A60E 3C14 D960  3FE2 6011 E858 FC97 F62D](https://keybase.io/jeffreifman), yielding the signature:

```
-----BEGIN PGP MESSAGE-----
Version: Keybase OpenPGP v2.0.8
Comment: https://keybase.io/crypto

yMIZAnicbZJdSBVBGIaPptaxrCDLlCzZLJUOMbOzvwe6qBC6UJLQFDRsZmdWV3PP
cc85HsWs6AeTfrzwQrsoqCwSyhQiJLJM7SIiFJSEKEXNyIs0KjE0qV2xi6C5Geb9
nvdl5puvP26VKzai/mPa0RtrcFnE6xf7Qq68zWOjtRzx0RrOW8uVs+VNN8wSZvkt
wwxyXk6giEmCKGEJMKRBgaoSQDrjJQAhU0RF11RZl3jKebhSX8Bx2DEEB9hew2dr
9qHYoLb6H758uQAggBpCUFZFDamIV2QVUJnoAFBFJwQohIiySDHgRQVBTaKAp6JM
ZR1QXpMUIskYAGzHhZbjIMaarGBFEQlgMoYEKbyINBFDjKgKVQcMMMvEFcymy5iu
W8zQK7DJ1Xk4u1BlaMzpwgpQYgRLQ+Rfk8nCAe2EL0QdS7DG72hhRopX3MXEMKnd
Q9tUxayA4TM5L7RJLWg4dijwsqBKKi95OFbtNyxWbDiEKEsKsJeH81usyo5URUKo
pDPCM8h0EQpEgDxlosYLFEKNQQSRgFQVSxISBCpipFKm27+lMl1GAuSc91SaPs6L
7GviEjsyYJSYOBiyGFfX21MU5YqIdcVERzpT4Ip1b/w7G89vrl6MOeduzA4fe5e8
ZfvjqdSF/M7c1kPhxYXOGffO+rF5OHFSCGjDvt0/5idmUlon+xrWD6RUj7S1xJ0q
evSgPckTn1GU3DuWsC1afzWbFTUUuWsqdhw2ZSZW9lxWdPP3y7OscPJ4493pXq27
c3zTVOjgwJKb+5p5dfRLR87F4e93mgb9iR0DCW2z1/I+q2nuS58qsn7lDN7y9syZ
ewKg680HGiwIV3f3Pml82J9Nmp+F09+3ub4VVDRkpktDBSMZOUeWrvws5M+33D4Q
PZG7bu2G01lto/MX0tLqts4RvH/6bdKZHU/v5Tdn9UUtVd0viPdfL5s5/MZI7Wod
cHVGtltLfwDbHyoj
=4Oej
-----END PGP MESSAGE-----

```

And finally, I am proving ownership of the github account by posting this as a gist.

### My publicly-auditable identity:

https://keybase.io/jeffreifman

### From the command line:

Consider the [keybase command line program](https://keybase.io/docs/command_line).

```bash
# look me up
keybase id jeffreifman

# encrypt a message to me
keybase encrypt jeffreifman -m 'a secret message...'

# ...and more...
```

When verified, my GitHub credential will be posted on my Keybase profile:

Using Your Website(s)

Now, let's verify my Jeff Reifman website:

You can either post a text file or set a DNS TXT record. I chose the latter. Keybase will ask for your domain name:

Then, it will ask you to post this DNS TXT record:

It may take a few hours to propagate and get verified by Keybase:

Using these authentication trails, people who find my public key on Keybase can be relatively sure they are encrypting messages for the correct Jeff Reifman — or all of his accounts have been hacked and neither he nor anyone else has noticed (unlikely).

Here's what my completely verified Keybase profile looks like:

Sending an Encrypted Message

Keybase also makes it easy to send encrypted messages to other Keybase users. I sent a note to Chris Coyne to let him know I was writing this tutorial.

I enter my passphrase and click Sign & encrypt. It's easy.

Keybase is also a sophisticated command line application. You can also use it to encrypt and decrypt messages. In fact, there are advantages to doing this. Your client can perform verification checks that aren't as reliable as using the website (which could be compromised in a variety of ways without you realizing it).

Once encrypted, Keybase will provide me plain text which I can paste in an email to Chris:

If someone other than Chris receives it, all they'll see is gibberish:

Decrypting a Message

Similarly, to decrypt a message, I can paste a PGP message from anywhere into Keybase, enter my passphrase and click Decrypt:

Inviting People You Know

Keybase becomes more useful as more of your contacts use it. Fortunately, inviting friends and colleagues to Keybase is easy:

You can even reclaim invitations if people don't use them.

What's Next?

Keybase takes a big step forward in making the sending and receiving of encrypted messages easier for people. I'm excited to see how the service continues to evolve. 

What are you waiting for? Go invite some friends to join you at Keybase and start emailing more securely with encryption. It's time to encrypt your email.

Please feel free to post your questions and comments below. You can also reach me on Twitter @reifman or email me directly. You can find my other tutorials by browsing my Tuts+ instructor page. 

Related Links

• It's Time to Encrypt Your Email: An Introduction (Tuts+)
• It's Time to Encrypt Your Email: Using GPG Tools (Tuts+)
• An Introduction to Public Key Cryptography and PGP (EFF)