Client: Add new device should NOT rely only on existing device…

If you have your GPG private key on the machine, running keybase login yourname will ask you to provision and give you the option to sign using GPG.

Doesn't work in the UI though for some reason.

One of your "devices" can be what Keybase calls a "paper key", which is a list of random words intended to be printed (hence "paper") and stored in a physical location. A paper key is a full device key, and can be used to authorize a new device just like any other device key can.

You can generate one from the command line with keybase paperkey.

See also the command line docs

Hello,

Imagine this case:

• you register your office workstation, because you want to be able to use keybase. Of course, it's a station locked in your office, because you can't take it home.
• you go back home, and want to register your own private laptop, because, well, "why not".

How do you do that? paperkey? well, why, as I have my private gpg key on both computers? Really, this is a bad design, and keybase should allow to register any computer with the private gpg key as a second choice if no other registered computer is available…

That would improve the whole friendliness, allowing to do all the thing in a smooth way, private gpg key present or not.

Cheers,

C.

should allow to register any computer with the private gpg key as a second choice

then

allowing to do all the thing in a smooth way, private gpg key present or not.

Did you just argue with yourself? I am not following your meaning.

@dabura667 fact is: it doesn't allow to keybase login <yourname> if you already have a registered device, unless you get that device at hand or a paper-key. GUI or CLI.

I had the same issue, and resolved it by

• creating a paper-key on the registered machine
• transferring that to the new machine
• running keybase login <user> on the new machine: the paper-key is offered as an option to log-in.

Note that this _requires_ that you generate a paper-key (and keybase no longer creates one for you by default), if you don't then your list of login options is only the registered machine (which must be proximal of course). Some hints to the user that this is the case would be good UX :smile:

How do I add new device if I permanently don't have access to previously added devices, including paper-key? It seems like the only way around is to create a completely new account, which is far from ideal.

@rosnovsky log in to the website and click the cog icon on the upper right of your page.

Click revoke all keys.

@dabura667 right, thank you. It is equivalent to creating a new account, though, since I'll have to re-create all the keys, prove identety and social ownership again, and basically start over just to be able to add a new device to a perfectly valid account that I have full control over. It's not ideal at all :(

But you don’t have full control. You just said you lost the private keys.

The private keys are your control, the only way to override your private keys is to revoke everything (which a public record is left of your reset, so anyone who verified your public keys before the reset know that they must re-verify with you out of band so they don’t end up talking to some hacker thinking it’s you.

What alternative solution could you propose that would not leave open an attack vector?

You also should be revoking individual keys if you lose them. Otherwise someone who found the private key somehow could impersonate you.

Well, evidently I have no idea what I'm talking about. I'm not Keybase poweruser, so I'm sorry if I'm confusing 🍎🍎 with 🍊🍊.

I can login into my account on keybase website. I can encrypt/decrypt things. I can confirm or unconfirm my social networks and websites, export or delete my private key (I have it), revoke my public key, and so forth. I can do whatever the website offers. However, since I don't have any of the _devices_ I've added previously, I cannot add a new devices now. I can't seem to find a way to use my existing private key when adding a new device without confirming this new device using a previously added device first.

@rosnovsky stuck with situation as yours, don't know what to do now.
Don't want to reset everything

@murarisumit Since there's no way around this issue, I had to reset everything and start over :(

Thanks @rosnovsky , will probably do the same then :{

Ok, I managed to get in with an new Paper Key! That did the trick. My iPhone is now verified. No need to reset all the Keys.

Run keybase log send from your gentoo device and we can debug it.

I already did that, see the Log ID here:
https://github.com/keybase/client/issues/9811#issuecomment-349615079

Just ran into this...

Why can't I use my private GPG key more than once to add a device? Why does it need to be a paper key or another device?

I have my GPG key with me on a yubikey with a good Pin. So I have my key stored securely. The paper key is probably much less secure than my GPG key is.

I too would like to use my GPG key of my smartcard, which I used for the first device. Don't see why it should be necessary to depend on a previous device.

I would also add that I would prefer to not have device keys at all and simply use my GPG key. If a device is compromised, no private key would be compromised if I always use my smartcard key. This would require keybase to interact with gpg-agent for example, which I'm not sure it was designed for.

Smartcard support would be nice (aka you can only be logged in while your smartcard is plugged in)

But remember, kbfs and teams etc. rely on sharing, revoking, rotating keys constantly, so it’s not too compatible with gpg’s key security model to begin with.

The problem for me is that I feel that device keys have equal power to the key on the smartcard in terms of performing further proofs or device additions, which feels a prioritization of convenience over security.

a prioritization of convenience over security.

I think that's the goal.

Keybase security is less than the maximum security an expert of gpg can attain...

But a million times greater than your average joe using Facebook.

I think Keybase is aiming for the average joe, and/or the company that employs hundreds of the average joes.

It would be nice if down the line, they allowed device configurations that relied solely on smartcards if the user opts in, though.

@v01d But why would that mean that it would be impossible to sign new devices with a gpg-key? Other people can still use their paper keys or stuff. I just wanted to use something that is (for me) easy.

I agree with you!

In any case, I'm not sure if only by allowing gpg to provision devices solves much, since you're still generating a private key for that device which has equal user authenticity is your pgp key. Maybe it should be possible to perform allá device crypto operations with the pgp key but I think keybase is simply not designed that way.

I don't get why addind a device should rely on access to other devices at all.
If I have the private key(s) that should be all it's needed.
Addind a device and linking it to another (as I undertand it) brings no additional secuity. Further more, adding devices like this creates some tree-like dependency structure?
Adding devicesbased just on the possession of the priv-key and passwors should be added

If by private key you mean PGP, we don’t use PGP in chat, KBFS or Git.
Those applications are only keyed for your device and paper keys.

On Sat, Apr 28, 2018 at 6:24 PM BlockChain Caffè notifications@github.com
wrote:

I don't get why addind a device should rely on access to other devices at
all.
If I have the private key(s) that should be all it's needed.
Addind a device and linking it to another (as I undertand it) brings no
additional secuity. Further more, adding devices like this creates some
tree-like dependency structure?
Adding devicesbased just on the possession of the priv-key and passwors
should be added

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/keybase/client/issues/8405#issuecomment-385209519,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA05_yjs963EixSodUMB_bkinGCAu4Vjks5ttOwqgaJpZM4PUvfs
.

I don't get why adding a device should rely on access to other devices at all.

That’s how GPG works.

Adding a new subkey requires a signature from the Certification master key.

The “paper key” idea was added to give the key provisioning structure portability.

However, the idea of “signing new key with existing key to prove validity” is as old as PGP itself. Maybe older.

Keybase uses NaCl for its keys, and the PGP key feature has been relegated to a “proof” similar to Facebook.

Just as keybase doesn’t use Facebook as a security measure. Keybase no longer uses PGP as a main security measure, but rather uses your NaCl keys to cross sign your PGP keys and assert “I own these keys, so if you want to use PGP and you trust my keybase keys to be correct (via the social proofs etc) than you have a much higher certainty they are my PGP keys”

It’s confusing, because Keybase used to be a helper for PGP, but now it uses its own keying system, and PGP is a secondary feature set.

But yeah, long story short, if you want to log in to multiple devices without having your existing devices, paper key is the way to go.

I'm having a similar issue 11619 but the device is the same. Chat isn't working because the app desynced from the login session, and I can't add it because it's not logged in. I have _NOT_ lost access to the device, and it works as expected outside the app, but there is no way to sync the app to where it's logged in.

TLDR: I have the device key, I have the device, but they are not in sync and makes the app (and thus chat) not work. Email works fine.