[hughpeters]

One of the companies I do contract work for uses Keybase to share credentials between engineers. Like database credentials, AWS access keys, ect. Including production credentials. I felt like it was a security risk when they started sharing creds with me over Keybase but didn't know enough about Keybase at the time to feel comfortable saying something so just followed their process.

Does anyone here use Keybase for this use case? Is it secure?

[jedberg]

I've used it for this use case. When I onboard new employees, I add them on Keybase and have them add me, and then I send them their AWS keys via Keybase chat.

I've also used it to exchange AWS keys and other credentials when consulting.

I chose keybase because it was the easiest chat to set up with end-to-end encryption that works on the desktop, where I generally needed to be to copy/paste the keys.

It's certainly not the most secure way to share keys, but it's fairly secure and a decent trade off since I consider the credentials I'm sharing on there to be medium value at most.

[lucb1e]

It depends. If you use the official app, then it's sort-of end to end encryption but with an asterisk that you have to trust their servers not to mess with you from the beginning. They can't start intercepting at will, though, they have to target you from the beginning, and if the server did that with everyone, odds are that someone caught on by now. So it's probably fine.

If you use a client where you can view the crypto keys for out of band verification (I think the command line client can do this, but it's awful to use as daily driver), then it is actually end to end encrypted, and you should only have to do this once.

Verifying your key in the command line client and then using the app will not do, since the server can selectively lie to your app. I'm not saying it's likely, but when speaking of sending keys to the kingdom through it, it can be a reasonable precaution to verify crypto keys for the client you're using, depending on your company and threat model (if you're in the USA, well, so is Keybase so that's less of an issue than when you're in Iran and you think Keybase is magically end to end encrypted with no verification needed, as their docs suggest). Since all devices connected to your account receive a copy of the data, it doesn't matter which device you use to send or receive the secret keys.

[ahnick]

Yes, and yes it is secure. That is to say the data is encrypted and only you and the person(s) you are sending to have access to it.

I have used it for credential sharing and use kbfs (Keybase's encrypted file sharing) for a simple secret storage mechanism for shell scripts. I map my encpass (https://github.com/plyint/encpass.sh) directory to kbfs.

[meddlepal]

I've used it for this purpose before at a tiny startup. It's nice because you can script around directories in the Keybase Filesystem.

That said our threat model and security concerns were minimal... we didn't store any PII for example.

The team really appreciated it because of the tools low barrier to entry and ease-of-use.

[creativipy]

I've used 1Password for this in the past. Maybe you should ask they switch to that?