+ KeePass

Over the past couple of weekends, I've been trying to dig in and fix my crypto life - up until this point I have been using LastPass and 2FA through Authy, and that was the extent of my personal security. I'd never touched GPG before (or PGP for that matter). While I've seen it around I had never read into it much or used it to any extent other than what's automated through ProtonMail or verifying packages through package managers.

One of the first things I wanted to do was move away from LastPass. I'd been having some issues with it recently - a lot of bugs in the Chrome extension. KeePassX2 was the most evident solution. I'd heard enough about it, and it gets away from using proprietary software and storing all the important information on somebody else's servers. I gave up trying to import directly to KeePassX and just copy/pasted directly from the csv I got from LastPass. I'm now using Keepass2Android on my phone - it's working very well and I've had no issues. I can sleep at night again.

The more substantial part of my weekends has been working with Keybase. It's an open source cryptographic manager built on Go to try to bring crypto to "everyone," not just programmers. It's easy enough to do the bare minimum, which is basically just connecting Twitter and Facebook together to prove you're the same person. In order to do much more than that it encourages you to post your public key and install the app.

Keybase also provides some other services including end-to-end encrypted chat and file sharing capabilities up to 10GB. The way you can store files is a little unique - you have private and public folders where you can put files, but you can also share files specifically with other people, like so: /keybase/private/me,you. If they don't have an account yet, you can reference their Twitter name for example (/keybase/private/me,[email protected]). Once they verify that account, they can see the files. Everything's encrypted too, evidently. There's so much documentation. Glorious.

My only complaint is that they let you trust them with your private key. It's not necessary by any means in order to use the service. I suppose some people really don't want to touch the command line, but it seems a bit oxymoronic.

Does anybody else use Keybase? Concerns/thoughts?

BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5wcIkHbsEf7B4I s40GxXLj4MXf0J1 9Jn88Jj38m4jW4y NFRY9GfRDcyYscC 2IQZ0Jp0jOvKYbh UgOkwXh8BnzpqmN Ov1vMqtBnGNfX3C BroJDvXzp0ijyzH 6uqhX6VASmpSzE3 Ib3arViOLtPM8B3 7qLYGI50fs0lsJ9 WpUQUBs8WIwbRVr qLaXxEPpHwZguYO RzAvCO3JLy6icDg uBpOBFfvgVDoCGC rdp7Ugx13AjKI4P 2H8wSC98TVIUg01 IBocsxGdxslftj4 H9I7umUOwl96HZ3 nLF3T1P5jfBg. END KEYBASE SALTPACK SIGNED MESSAGE.

I'll be monitoring this. I'm completely happy with lastpass for everything personal, but for work I need a good solution other than keepass.

My problem with all things encrypted in communication is that no-one on the other end is ever willing to cooperate. I've been looking at veracrypt, bitlocker and encrypted zfs over the last couple of days and am still undecided.

Public key encryption has provided the ability to sign and communicate securely for ages. The fact that the internet is driven on advertising means that all the big providers spy as a business. The small number of businesses that provide secure communications are often american companies that are required by law to provide a backdoor for law enforcement. This leaves us with peer-to-peer open source or someone hosting a server in khazakstan, managing it through tor and paying with bitcoin. This someone by definition is fairly hard to trust.

So peer to peer. Thunderbird has offered a plug-in for rsa encrypted email forever. No one I know is interested and almost without exception they use Microsoft Exchange Server or Google. Pidgen provides an encrypted plugin for texting.... Signal provides encrypted video calling but again Skype and Hangouts dominate my calls followed by webex, bluejeans etc.

There are good secure solutions across the entire gamut of collaborations software but the customers aren't even considering privacy as a requirement in their use cases. The fact that Microsoft and Google are required to backdoor their software by law is not of much interest to the majority of people. The threat model does not consider state actors acting legally as an enemy and in Google's case the users are the product rather than the customer.

So I could rant further but in practice the rant is not important because mostly people don't care and the convenience gained far outweighs the loss of privacy for the vast majority.

1 Like