keybase / client

Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
BSD 3-Clause "New" or "Revised" License
8.91k stars 1.23k forks source link

Keybase keeps sensible info after uninstall #10850

Open metalslug666 opened 6 years ago

metalslug666 commented 6 years ago

i had keybase installed for a while, then i uninstalled it. and when i installed it again i was logged in without haveing to provide any auth information. i wou ld have expected that all keybase related data would be removed.

my log id: 9f45f257ba26e4cab9428a1c

dabura667 commented 6 years ago
  1. When you log in and create a "new device", keybase creates two major files. a. Your device key (this file is encrypted with a key derived from your login password) b. Your encryption secret (this is the key used to encrypt your device key)
  2. When you log off, the device key file stays encrypted on your PC, but the encryption secret is securely deleted until you log in again.
  3. If you uninstall Keybase, it doesn't delete those key files. They are left on your PC for you to clean up or delete or do whatever you wish.
  4. When you reinstall Keybase, it will look for those files in their respective areas and if they are there, you don't need a password or anything. (since your password is used to create the encryption secret (it's a one-way process, the secret can not be reversed into your password))

This is not a bug. This is how keybase "device" is designed.

Keybase's design is especially problematic for people who do not realize this and sell a PC without formatting. (though Keybase may be the least of your worries if you do that) Or if they let other people etc. use the same PC with the same OS user account...... or worse even if they log in on a public PC (like a library)...

iirc they are working on settings to delete the encryption secret after a timer (that the user can set) which would get rid of one file... but the device key (encrypted) will still remain. Deleting that file would mean you need to generate a new "device" on your keybase.

metalslug666 commented 6 years ago

I am aware it works this way, thank you for the confirmation tough. Usually a programs (sensible) files are deleted completely on uninstall, you have the option to delete or keep the files. This is what I would have expected and it seems fairly simple too.

dabura667 commented 6 years ago

Usually a programs (sensible) files are deleted completely on uninstall

Actually, this is not true. Uninstalling Word does not delete all your .docx files.

Keybase generates a user-data file that are keys. These are not program-data files, they are user-data like if I were to make a word document with Word. With Keybase you make keyfiles. Leaving them after uninstall is sensible...

But I guess it's up to interpretation....... anywho, this is how it works.

metalslug666 commented 6 years ago

Lol ok.

metalslug666 commented 6 years ago

Doc files are the same as keyfiles