Over the past couple of weekends, I've been trying to dig in and fix my crypto life - up until this point I have been using LastPass and 2FA through Authy, and that was the extent of my personal security. I'd never touched GPG before (or PGP for that matter). While I've seen it around I had never read into it much or used it to any extent other than what's automated through ProtonMail or verifying packages through package managers.
One of the first things I wanted to do was move away from LastPass. I'd been having some issues with it recently - a lot of bugs in the Chrome extension. KeePassX2 was the most evident solution. I'd heard enough about it, and it gets away from using proprietary software and storing all the important information on somebody else's servers. I gave up trying to import directly to KeePassX and just copy/pasted directly from the csv I got from LastPass. I'm now using Keepass2Android on my phone - it's working very well and I've had no issues. I can sleep at night again.
The more substantial part of my weekends has been working with Keybase. It's an open source cryptographic manager built on Go to try to bring crypto to "everyone," not just programmers. It's easy enough to do the bare minimum, which is basically just connecting Twitter and Facebook together to prove you're the same person. In order to do much more than that it encourages you to post your public key and install the app.
Keybase also provides some other services including end-to-end encrypted chat and file sharing capabilities up to 10GB. The way you can store files is a little unique - you have
public folders where you can put files, but you can also share files specifically with other people, like so:
/keybase/private/me,you. If they don't have an account yet, you can reference their Twitter name for example (
/keybase/private/me,[email protected]). Once they verify that account, they can see the files. Everything's encrypted too, evidently. There's so much documentation. Glorious.
My only complaint is that they let you trust them with your private key. It's not necessary by any means in order to use the service. I suppose some people really don't want to touch the command line, but it seems a bit oxymoronic.
Does anybody else use Keybase? Concerns/thoughts?
BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5wcIkHbsEf7B4I s40GxXLj4MXf0J1 9Jn88Jj38m4jW4y NFRY9GfRDcyYscC 2IQZ0Jp0jOvKYbh UgOkwXh8BnzpqmN Ov1vMqtBnGNfX3C BroJDvXzp0ijyzH 6uqhX6VASmpSzE3 Ib3arViOLtPM8B3 7qLYGI50fs0lsJ9 WpUQUBs8WIwbRVr qLaXxEPpHwZguYO RzAvCO3JLy6icDg uBpOBFfvgVDoCGC rdp7Ugx13AjKI4P 2H8wSC98TVIUg01 IBocsxGdxslftj4 H9I7umUOwl96HZ3 nLF3T1P5jfBg. END KEYBASE SALTPACK SIGNED MESSAGE.