maxtaco
commented
10 years ago It's a good point. The current system: (1) removes openPGP S2K decryption by decrypting with your private key and your previous password; it then (2) applies TripleSec encryption in P3SKB format, encrypting with bytes from your stretched keybase passphrase that aren't shared with the server. This setting enables browser crypto for those who want it, without letting the server decrypt your private key.
I see your point, this isn't the best system for dumb secret key syncing across devices, for those who don't want to use browser crypto. If it doesn't make the U/I horrible, I wonder if we can add the feature to maintain the original S2K encryption with your previous password, and add P3SKB on top of it.
BTW, the OpenPGP standard is weak for two reasons: first, it uses a weak key-stretcher; and second, it doesn't use authenticated encryption, so it's open to malleability and chosen ciphertext attacks.
hunger
I wanted to use the private key sync feature and thus started the private key upload process. I got to the point where I pasted my key into a textbox and was then informed that I needed to provide my current passphrase as well as the keybase passphrase. Could you please provide some information about what happens there?
I do assume that you want to change the passphrase to the keybase one? That would make a sense for the website-based encryption functionality. But at this time I am only interested in the private key synchronisation and I do not see why my current passphrase is necessary for that.
Could you please allow uploading of keys with a passphrase set and have those synced between a users' machines?
I do appreciate your service, but so far I do not trust you enough to hand over my private key in the clear to a software infrastructure solely in your hands!