5

I was just reading some articles about keybase.io:

And I'm confused about this statement:

I really hope you didn't upload your private key, "client-side crypto" or not!

Assuming that your private key is actually encrypted on the client side, what is the problem with uploading it?

Of course, being paranoid I created a key specifically for use with keybase.io...

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
Wayne Werner
  • 1,755
  • 3
  • 15
  • 20
  • Keys are often encrypted with passwords, which can be bruteforced. – André Borie Dec 31 '15 at 07:42
  • 2
    With public-key cryptography, you share only public key for encryption. Private keys are kept private/secret. If you share private-key, you compromise the PKI. – Ajay Dec 31 '15 at 09:12

1 Answers1

4

Assuming that your private key is actually encrypted on the client side, what is the problem with uploading it?

The private key is usually encrypted (but not necessarily). Anyway, a private key is much stronger than a "normal" passphrase and enable brute force attacks against the private key. Sharing the encrypted private key would actively harm your security.

The encryption of private keys with a passphrase is more to be considered an additional protection against accidental leakage and not meant to be a safe way of sharing it with the public (or any other untrusted entity like keybase.io).

But there's more to it: there is no real use in sharing your private key. All cryptographic operations involving others are based on the fact you only need to share (and should share) the public key. Encryption of messages to you is performed using your public key (and the private key is only used for decryption), signatures issued by your private key are verified using your public key. If everything you want to achieve is sharing your private key amongst your own machines, better choose a way that does not involve non-private channels like "cloud" services. Remember the private key changes very rarely, and putting some effort in offline transmission usually should not be an overly large hassle. Consider using subkeys to make key management easier.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • I didn't know about subkeys, I need to look into that! – Wayne Werner Dec 31 '15 at 14:02
  • Private keys should always be kept private and never shared. –  Dec 31 '15 at 23:27
  • If this is a comment on my post, the only place I mentioned sharing private keys is "sharing your private key amongst your own machines" -- and this is a very reasonable scenario and does not make your private key public. – Jens Erat Jan 01 '16 at 10:16