what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

keybase is a website that allows you to prove that a given account or website is owned by you. to explain how this works, we'll need to briefly cover public key cryptography.

there are many ways to encrypt a file. one such way involves using a password to encrypt the file, which can then be decrypted using the same password. this is known as a symmetrical method, because the way it's encrypted is the same as the way it's decrypted - using a password. the underlying methods of encryption and decryption may be different, but the password remains the same. how these algorithms work is outside the scope of this post - i might make a future post about encryption.

public key encryption is asymmetrical. this means the way you encrypt it is different from the way you decrypt it. a password protected file can be opened by anyone who knows the password, but a file encrypted using this method can only be decrypted by the person you're sending it to (unless their private key has been stolen). if you encrypt a file using someone's public key, the only way to decrypt it is with their private key. since i'm the only one with access to my private key, i'm the only person who can decrypt any files that are encrypted using my public key.

my private key can also be used to "sign" a file or message to prove that i said it. anyone can verify that i was the one who signed it by using my public key. comparing the signature to any other public key won't return a match, and changing even one letter of the text will mean that the signature no longer works.

as the signing process can be used to guarantee that i said something, this means that i can use it to prove that i own, say, a particular facebook account. i could make a post saying "this is lynne" with my signature attached, and anyone could verify it using my public key. this is where keybase comes in.

the process of signing a post is rather technical, and everyone who wants to verify it will need to know where to get your public key. there are "keyservers" that contain people's public keys, but the average person won't know that, or what the long, jumbled mess of characters at the end of a message even means. keybase does this for you. after you create an account, it generates a public and private key for you to use. you don't even need to access these, it's all managed automatically. you can then verify that you own a given twitter, reddit, mastodon, etc. account by following the steps they provide to you. you just need to make a single post, which keybase will check for, compare against your public key, verify that it's you, and add to your profile. users can also download your public key and verify it themselves.

support for mastodon was only added recently and isn't quite complete yet, but it's ready to use and works well. this is why you might have noticed a lot of people talking about it recently. support for keybase is new in mastodon 2.8.

keybase can also be used to prove that you own a given website, again by making a public, signed statement. i've proven that i own lynnesbian.space with a statement here: lynnesbian.space/keybase.txt

it also provides a UI to more easily verify someone's signed message, without having to find and download their public key yourself.

keybase is built on existing and tested standards and technologies, and everything that it does can also be done yourself by hand. it just exists to make this kind of thing more accessible to the general public.

i've proven my ownership of this mastodon account (@lynnesbian), and you can verify that by checking my keybase page: keybase.io/lynnesbian/

keybase also offers encrypted chat and file storage, but it's main feature is that you can easily verify and confirm that you are who you say you are. so if you see a website claiming to be owned by me, and you don't see it in my keybase profile, you should be suspicious!

#LynneTeachesTech

finally, this post itself is digitally signed by me! you probably noticed that weird "begin signed message" thing at the top! you can verify that it's me simply by pasting the whole post, top to bottom, including the weird bits at the start and end, but *not* including the content warning, into this page here: keybase.io/verify
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.1.0
Comment: keybase.io/crypto

wsFcBAABCgAGBQJctrWtAAoJEPt7lwMDrOSZtrAP/0lV+51YF24TDOO5vJx43cq5
kBkIV61/JqRMTaT7+6O+H/0YBmXyF4RYITyKZ88wYyZD5mTnRLLGk/5BqGuDOdAd
wyKvkEUcBmO0kAr2p8w8LKsNVV/fpyXdBgcPqu7QXwGJiimJg39n0/A36NL1az2A
v11uYdLOUQ1t3Eh+pRryRQP8jMc2PEVIjBaQ5bAZ/BDbQzzmB+4tpdKEKHd92UVp
lclDR1j29d9hs0bSZ+yCZQCkAkuUIfbUag8ic+a27aqaWAm+gprT2JxG4BUz9aoJ
W5BnVZdh6egFkn1aTVhowXtGxzhbWKuRjNQl13zLw4czzXRncIrNQ/DkUGXfYhqk
Q89dlFZG6R4wWiM4nsnaxySaQVjmzt37nG58iYhkas3bTKXx9WZ1/pQb/ufk+ic5
P+abGZDB4NXK0nwh5Ap0W9Br82WelYdeVlpx0uoTMp9WWtouwGk3XLYDKV5SvUrF
Xkr5DkdfBcaJLJdj0EcXKBJfPfoKqKLPX2FdTBvA0TEn7Lxq/FxvfvWk5HLh9Xlp
rtHoFDL5Fq4Wz2omaR0Tpo51AfRpi0CHdaM+tL1uvqebb75MEMZhALyZVt6CmxBb
vVU+kXxSfGGbOTLDk8kpkmc6DJCNGnrn8k/qgDkETCDpAFOZK6c5k9XHrhMc5kp7
W2oysh2U+BtsNcRNA2+A
=23Bq
-----END PGP SIGNATURE-----

Follow

what's keybase? why are so many people talking about it right now? what's with all those "it is proven!" posts? (long, serious) 

@lynnesbian I'm really, really looking forward to them adding first-party Masto support, I really like how much more accessible Keybase makes public key crypto, have gotten people using it who would otherwise never be able to figure out gnupg.

Sign in to participate in the conversation
Nuklear Family

This is the personal instance of Andi N. Fiziks. Love me or hate me it's still an obsession 😘