Neil Turner's Blog

Blogging about technology and randomness since 2002

Keybase – a new PGP directory

Screenshot of the Keybase home page

Apparently, the one thing the internet needs right now is a new PGP key directory! I bet you can’t contain your excitement!

Sarcasm aside, Keybase is a new PGP key directory, albeit one with a difference. Whereas most, like PGP‘s own Global Directory, validate purely based on the email addresses contained in the keys, Keybase intends to be publicly auditable and linked to social media. That means that if you upload your public PGP key to Keybase, anyone should be able to validate that the key is indeed yours, and is in turn tied to your Twitter and Github accounts, and your web site. Its developers were the co-founders of dating site OKCupid.

As well as being a web site, keybase has a command line client available to download. It’s written in node.js – i.e. JavaScript – so you’ll need to install node.js on your computer, along with npm, the Node Package Manager. You’ll also need a copy of GnuPG, the open source clone of PGP – Mac users are best indstalling GPGtools and Windows users are best installing GPG4Win. Linux users probably have it already as generally GnuPG is used to verify digital signatures on packages. And you’ll need to create a pair of public and private PGP keys if you haven’t already done so.

Once you’re signed up, you will need to upload your public key to Keybase – either using the command line client or in the web browser. You’ll then be asked if you also want Keybase to host your private key – this enables more features on the web site, but some may be uneasy about doing so. That being said, keybase mostly uses JavaScript for cryptographic operations so most of the work happens in your browser, and not on Keybase’s servers – this includes authentication of your private key’s password. In any case, mine wouldn’t upload, apparently due to a cipher error.

You can then prove your identity, and at the moment, this can be done on Twitter, Github, and one or more of your own domains. This is done by tweeting a cryptographic hash, posting a gist on Github and uploading a file to your web server – all containing cryptographic data that someone can verify using your public key from Keybase. If your private key is hosted online, you can do this in the browser, but otherwise you’ll need to use the command line client.

Keybase is in its early phases. I’m guessing from its illustrations that support for Reddit profiles, and Bitcoin wallet addresses, are in the pipeline. And other than verify people’s keys, track other users to vouch for them, and send encrypted messages, there’s not a whole lot you can do on there right now.

Whilst I verify that I own this web site by including my web site’s URL in the key itself (available here), I suppose this is another way of proving identity on the web.

Public signups are not yet available, but at the time of writing I have two invites available. If you want one, let me know in the comments – I just need your email address.


  1. Do you still have an invite for Keybase?

    It will grade when I can get one 🙂

  2. Probably somewhat late with my reply, but do you still have the second invite left?