Using OnlyKey with Keybase

I managed to get OnlyKey working with Keybase but only partially, in the sense that it seems you can’t use hardware keys directly for offline signing. I assume this issue #1946 was never picked up @t11 ?

Therefore the best solution I have managed is locally generating and loading a GPG key, loading the pub key to Keybase and then signing device keys with the OnlyKey. Therefore one can use the Keybase app and functionality (things like chats and teams) with the trade off of having to use device keys (albeit signed from OnlyKey), but can use WebCrypt for direct operations encrypt/decrypt/verify knowing this is more secure using offline keys (the master PGP key).

If this is useful to anyone, I will write up the steps.

– bvs

@bettyvschmartz When you say only partially working what issue are you having?

I mean, specifically, the way Keybase works you can’t use your OnlyKey with Keybase CLI or the app. Even if you upload your pub key from your OnlyKey on the Keybase website. Whenever you install the app on a device you’re required to create a local device key. This key can be signed by your OnlyKey as the master key, but then the private key of this new key pair is stored locally.

To do get that to work I had to tell Keybase about the GPG keyring stored in ~/.gnupg/onlykey in its json.config file.

While it successfully allows me to sign the local device key with the OnlyKey it defeats the point of wanting to use an offline hardware key with Keybase.

It’s not an OnlyKey issue but a Keybase design issue. AFAICT from the Github issue I linked to, it’s intended design in order to be provide good UX.

Using a hardware key; I expect it to live solely on the hardware device and never leave it. Any apps should interact directly with the device for offline signing. The fact Keybase creates device keys, stored locally, negates that aim. To be clear, it’s not that Keybase can’t interoperable with local GPG and therefore the OnlyKey, it’s that they don’t support this set up. You must create device keys for each device rather than use your OnlyKey priv key across devices.

So by using the Keybase app for chats and other functions, I assume I’m using the device key where I want to use the OnlyKey.

Maybe there is another way.

– bvs

Right, in order to use Keybase to send receive messages through the site this uses your Keybase public key i.e. here Keybase

However, to use the Keybase apps and other services this uses keybase device keys. So yes you can use Keybase with OnlyKey to send receive messages with hardware storage of private keys. This is useful if say you are a journalist and you want to send/receive PGP messages. You cannot use keybase apps with hardware security key though. It certainly would be possible for Keybase to allow this though or to do a Keybase app fork where this feature is supported.

1 Like

Yes, exactly. I have a working set up at least. It’s a shame the apps use the device key as discussed in the Github thread I posted. I’m guessing anything in the app/GUI is using the device key (teams/chats)?

Yes this works using Keybase CLI actually, as I’ve told it to use local GPG. On the website though it obviously doesn’t work as Keybase don’t have the priv key and I see this note:


Things like keybase pgp decrypt and keybase pgp encrypt all work fine from CLI.

It may be useful to update docs with information on how to use your own generated key with Keybase. From what I can see the docs focus on letting Keybase generate a priv key, rather than creating with GPG locally and uploading only the pub key. Will happily write something up if it helps.

– bvs