Passing credentials securely with Keybase
A method to transfer secret data safely with minimal effort
A method to transfer secret data safely with minimal effort
As a software developer I need a level of access to business critical systems far beyond what normal users require. I need to be able to:
Edit the software that runs those systems
Access and debug that software in a production environment
Access ancillary systems to debug that software
This is a privileged position to be, and one that I take extremely seriously. I work at a software agency, which means I and my colleagues build the software of third party companies to help them serve their users. Generally speaking we take over projects that already exist, rather than designing them from the ground up. This means transferring the credentials that access these production systems — the same credentials that give access to critical user data.
These credentials need to be transferred in a way that only the person who is sending them and me, the recipient, are able to read those credentials. It turns out there are few ways to do this:
Slack/Hangouts/${CHAT} might be encrypted in transport, but not at rest and not exclusively to me and my partner
Whatsapp / Signal work, but aren’t super good in a professional context
However, there’s a pattern I’ve hit on that I quite like: Keybase. It works like this:
Navigate to keybase.io/encrypt#andrewhowdencom
Enter a message that contains the credentials, and hit “encrypt”.
Take the content that starts
BEGIN PGP MESSAGE
and send it via a normal email
That’s it!
How does it work?
Keybase is built on top of PGP, or “Pretty Good Privacy” is an encryption specification based on public-key cryptography. Without going too far into the details, I have a:
Public key: used for encrypting content, and verifying signatures
Private key: used for decrypting content, and generating signatures
As the name suggests, the private key is private — specifically, it’s stored on a Yubikey on my keyring. That means only someone who has my keyring and the associated pass code can decrypt the content that is encrypted with the public key.
Traditionally PGP was the domain of “serious computer people”; of Linux nerds, hackers and encryption geeks. However, keybase.io has done some tremendous work making PGP more accessible and usable to the general public. It allows a public chain of trust, endorsements and the signing of various public properties such as Twitter, GitHub etc. Essentially, it provides a way to say “yes, twitter.com/andrewhowdencom is github.com/andrewhowdencom”.
And, most importantly for our purposes, it provides easy ways to encrypt things with the public key.
Is it safe?
Fairly safe. The encryption happens in the browser itself, without querying the server except to fetch the public key. That means although it’s a website, you’re never sending your data to Keybase.
PGP itself is as safe as the user. It can be bespoke and a bit fiddly, but the standard itself is safe enough. It’s still in wide use in the hacker community, and is the defacto standard for reporting security vulnerabilities safety. So long as the important bit is replaced with the -----BEGIN PGP MESSAGE-----
, it’s secure in transport.
In terms of my safety, I
Keep the private key on a Yubikey
Keep a short expiry on public keys
So, it’s safe.
Can I get a keybase?
Yes!
For beginners, there’s a version of Keybase where keybase takes care of all key management, storing the “ultimate” private key and handling the issuing of subkeys etc. Basically, they take care of the nerdy stuff.
For developers, experts or the ambitious it’s better to purchase and use a Yubikey instead. While it’s unlikely that keybase will get compromised, PGP forms the root of a whole series of other sets of trust, and it’s one of the things we should be truly careful with.
In Conclusion
There are times when the need to transmit data that is very sensitive in nature is unavoidable. However PGP and it’s friendlier cousin, Keybase, give us a set of primitives that allow reliable and safe transferring of secret data.
Give it a go!