Encryption is something we should all be using, but it’s still too hard for the average person to understand.
Apps like Signal from Open Whisper Systems are great for basic chat where you can be sure nobody will be able to intercept and read your messages. Even iMessages are pretty well protected from prying eyes. But encrypting email and sharing files between two or more people in a secure and private manner is still really tricky to setup and use and because of that, it’s not all that common.
How many people do you know that you can send a PGP encrypted email to? How many people do you know who have even heard of PGP encrypted email?
Why does this matter?
Maybe you are in the “I’ve got nothing to hide” camp. Sure…you might think that is the case, but I’m willing to bet that you actually have plenty to hide. Criminals aren’t the only people who might want to keep things private or secret. Does your company have secrets that you wouldn’t want competitors or even your own customers knowing about?
Perhaps you want to be able to send your credit card or banking details to your spouse in a secure way. Or maybe your doctor will want to send your latest test results to you (and only you). With encryption, you can be sure that the contents of the email can only be read by you, even if someone else accesses your data.
Look at the recent hacks of the Democratic National Committee and John Podesta that ended up on Wikileaks. Had the DNC and Clinton used PGP encryption, whoever got their hands on those emails wouldn’t have been able to read them. No embarrassing opinions about other people in the open and no media to deal with.
You’d think someone like a US Secretary of State who was using a private email server would have been smart enough to require anyone who communicated with her to do so with PGP encryption…she could have saved herself a lot of trouble!
Be smarter than she was.
Keybase is a relatively new website and service that aims to put PGP encryption into the hands of more people. It combines easier ways to encrypt, decrypt and digitally sign messages with a really interesting idea around identity validation. As they say, “Keybase maps your identity to your public keys, and vice versa”.
Previous to Keybase coming along, it was the case that someone could look at this website and say that it was “probably” the same person as @jameskoole on Twitter.
With Keybase, the idea of “probably” the same person becomes “provably” the same person. How does it work? Like this:
If I can post a tweet to my Twitter account, then that’s me. So Keybase gave me a very specific text to tweet and they they checked for it. Similarly, if I control the DNS entries on my domain name, then it stands to reason I could put a very specific TXT record in place that they can check for. If you dig the DNS on jameskoole.com, you’ll see a TXT record that serves as my Keybase verification.
Here’s my Twitter “proof”, for example:
Verifying myself: I am jameskoole on Keybase.io. m1Twre81pYtkmsHYeLtWiRkpcP5SviU9rA8t / https://t.co/9IzQQz5LJQ
— James Koole (@jameskoole) October 31, 2015
You can look at my Keybase profile to see the various identities that are “provably” me.
The next big piece of the puzzle is for Keybase to provide ways to sign, encrypt and decrypt messages sent to me by others who wish to contact me securely and privately.
PGP is the key here (pun intended). OpenPGP is an open source, well-known encryption protocol that works by way of a public/private key pair. A message to me can be encrypted with my public PGP key. Once encrypted, the only thing that can decrypt that message is my private PGP key.
On Keybase, anyone can get and use my public key to create an encrypted message that only someone with my private key (in other words, only me) will be able to view. And I can do the same with anyone else on Keybase.
The idea of a PGP public key server isn’t new. But what is new is that Keybase allows users to link their online identities to those keys. So I can look someone up on Keybase by their Twitter handle and send them an encrypted message, knowing that I am sending it to the right person.
Encrypted Messages are great, but what if you want to send data like a text file, or a picture or a Word document. Keybase Filesystem (KBFS) extends Keybase and creates something like a secure, PGP-signed or PGP-encrypted Dropbox sharing service. You can see my public Keybase folder here which contains files that are automatically signed by me so you know that they come from me.
With KBFS, I can share things like passwords with others on my team at work as easily as dropping a text file into a folder. I can share files with anyone on Keybase, and those files are automatically signed (so people know they are from me), and encrypted (so only they can open and read/view them).
A lot more work to do
Is Keybase easy enough for anyone to understand and use? No. Not yet. But with a little effort and learning, I think anyone can get set up on Keybase and start messaging and sharing securely. If you don’t have a PGP key yet, Keybase will help you create one. If you already have a PGP key, then you can use that with Keybase.
Even if you don’t know how any of this works, you can send me an encrypted message. Give it a try! Go here, and enter my username (jameskoole) in the recipient box. Type your message in the Message to encrypt box and click encrypt!
You’ll see something like the text below, which is a secret message that only I can read because it’s encrypted with my private key. And because it’s just text, you can email it to me like any other email, except nobody else will be able to read it, even if they hack into my email or tap into the network along the way.
-----BEGIN PGP MESSAGE----- Version: Keybase OpenPGP v2.0.58 Comment: https://keybase.io/crypto wcBMA9DJBBBZz8ZHAQgAlJqAAlFGyxhHXmAxr79YQ2ZdwpR4e3PPCPgV7QTlLxpC 1cO5JDZwi0oDJ3MFCeo4XQgFKpqO5V8WwqtTbu9eqmSfDF6KHvm3f+vwtfJEomu9 bqEpT0CIIYZTW0S3soOJo3coMJBxx8eUfpgbWoz0MPR3wGfgOnGify4ikuVU8go7 YcPJB4jW0I01nUIU7rAD8+ZfbpKqAhIi6J2C6GafvCbiGAa78yAdFk227xwvyWC+ VANUpmg8oiZWibaF/3TsNXrdqLbUau1OOJv9DCmG4O5jZDCESQje2bvt239V6cWJ ynW1QXOlhc+uJBJTuP4m4g0EVi3JP5+ffaVmfmiz8NJXAfnjehd0sHgvvD0RxGEb HRFhoEo7GPw6J3Nn2LBYfab+xHDWGlZ5diJ/RbU5BrWyrZMEJdZhDZRM80i2wZJl AJaLHAcbT5Spden7E7Eh0Vx+Oi9TZ19F =vwhL -----END PGP MESSAGE-----
Check it out, sign up and learn!
I’d really encourage everyone to check out and sign up for Keybase. Maybe you know a bit about encryption, or maybe not. Use this as an excuse to get educated. This stuff really matters and as time goes by, it’s going to matter more and more.
Keybase is a service that deserves to exist and that makes acquiring using encryption technology much simpler.
For a deeper explanation of the KBFS, there’s a good explanation here that spells it how it works better than I can.
Keybase is currently available via invites only, but I’ve got a bunch. Drop me a line in the comments, or hit me up on Twitter and I will get one out to you.