I updated some old GPG keys last year after using the same 1024-bit RSA key from 2004. (Honestly, I was just impressed that I managed to dig up the private key in order to revoke it.) I had set the new subkeys to expire every year, and while renewing them I took another look around to see if GPG/encryption had gotten any easier.
On the other hand, there was some neat new stuff being built to use your signing key as a means to verify social accounts in addition to making your public key available (and related to those accounts).
Keybase.io was set up make encryption key lookup (keyserver) and (social) identity verification easier.
As a quick and dirty refresher, public-key cryptography means that I have a pair of cryptographic keys, private and public. My public key is made, well, public so that anyone can see it. This means anyone can encrypt a message or file using my public key that cannot be decrypted without using my private key to do so.
It also means that I can sign things with my private key and anyone can verify that I did so.
At it’s simplest Keybase.io can act as a simple keyserver, that is a central place to see the public keys of other users. The Massachusetts Institute of Technology (MIT) has been running a keyserver for a long time already, for instance. The MIT keyserver functionality is decidedly limited, only allowing uploading, downloading, and revocation of keys. Verification that the keys belong to the correct person is usually left to the user (getting wild at a key signing part-ay).
Keybase.io goes a little bit further by allowing a user to sign a verification that can get posted to various social media accounts. In effect this allows you to prove that a social account is controlled by you, via your private key.
For instance, if you visit my profile page there:
You’ll find my various social accounts have all been signed by me using my private key.
For reference, my key fingerprint is:
66D1 7CA6 8088 4874 946D 18BD 67C7 6219 89E9 57AC
(I’ve added this to my About Page as well.)
Conveniently, you can also encrypt a message to me using my public key right on the site (using the
PGP Encrypt button).
This gives you a neat little messagebox to enter a message to me:
After hitting the
Encrypt button, you get your message ready to email, text, message, whatever to me and I’m the only one who will be able to read what you wrote:
This is also easily done if you already have your own keys and GPG installed on your machine but it’s nice to have it here available so simply. I’m also going to put my full public key on it’s own page here at /about/GPG.txt.
They go even further and allow you to upload your private key to Keybase.io as well, but I’m a little more neurotic about holding onto that key and keeping it safe.
So if you want to invest the time to learn a little about the subject, it’ll be worth it. Of course, you may feel a little like I do sometimes (last relevant xkcd, I promise):