Confusion between “keybase passphrase” and “key passphrase”

[rastus-vernon]

When a key pair is generated with keybase gen, the following label is shown by the keybase client to prompt for a passphrase: “Your key passphrase (can be the same as your login passphrase)”. Some actions on the website (signing something, decrypting something, exporting the private key, verifying an identity) require the passphrase given at this point.

However, when it is required, it is actually the keybase passphrase that the website asks for, and this can easily be confused with the login passphrase, which may be completely different.

I think it might be better to ask unambiguously for either the “login passphrase” or the “key passphrase” whenever one of them is required.

[zQueal]

It is a little confusing, but you should think of it like this: Whenever you're completing an action on keybase.io that requires the use of your private key, it must first be decrypted (as keybase.io encrypts them), so you need your keybase.io password. Anywhere else, you need your actual key password.

[rastus-vernon]

@Xanza It is actually the key passphrase that is required when the private key must be decrypted, and not the keybase.io passphrase (the login passphrase), although keybase asks for the “keybase passphrase”. This is probably a mistake, but if it is not, it can still cause confusion and mislead users.

Also, when it is necessary to sign or decrypt data, keybase simply asks for the “passphrase”, which is not very clear. I insist that keybase should always ask for either the key passphrase or the login passphrase, because that’ll make things clearer.

[danigiri]

I also got confused by when is each passphrase needed and is quite likely that users will get confused. Was about to file an issue but found this one already.

Somehow this needs to be made really clear to users and perhaps add a tiny (?) Why is this needed now? wherever passphrases are requested on the website which can be clicked to expand for further information.

[Apophenia]

Throwing my vote in here: I agree totally with @rastus-vernon's reasoning; the current language is confusing.

[pho3nixf1re]

I just spent days trying to figure out why my key passphrase wasn't working. I almost took the nuclear option and revoked my main key and just start over when I came across this thread. Turns out it's account password for keybase! DOH! Yes, the wording absolutely must be clearer here.

[malgorithms]

@Apophenia and @pho3nixf1re - which clients are you 2 using, and where exactly did you encounter the ambiguous wording? Many of the early reports are from the Node client, which we're deprecating. I want to make sure the newer clients are fixed. (in other words, how did you get the clients?)

[mscharley]

Also having this confusion with the current client (v1.0.16 of the go client):

While trying to run: $ keybase pgp export -s | gpg --import

I've tried my Keybase password and the key's passphrase as I use it with gpg on another computer and it just doesn't work at all.

[maxtaco]

It's definitely the same passphrase you use for login and for unlocking your keybase keys;

It is extremely hard for us to help you debug this since we intentionally don't know anything about your passphrase.

Are you 100% sure you typed it correctly? Does keybase sign -m foo work for you?

[maxtaco]

cc: @patrickxb and @oconnor663

[maxtaco]

Also, what happens when you try keybase unlock?

[mscharley]

Signing asked for my passphrase then worked:

$ keybase sign -m foo
BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5wcIkHbsHUsWOU WvEGCIPaGAGa59o WI3GnGrKv08cP25 QQozjxXuB8txyrF VtzepZqcxPj7tgq RrJ0ldThG2GSRXU i25EdouZ3VBgmrI Sm4fBVJ4YAYCdyP wIyvcBaIRW9TXrl NTCPi44njekY40V HvrKr7P5smojqAZ AnAjA3A4mTUjBcR ghAr8MnAbqCWPW3 QVTHtFeEee6Yx0y EsS898qWjit2VMf joLOA3LW5abWlSQ ILnF5aHy85b9OJP LhzJ1Iw0G2a. END KEYBASE SALTPACK SIGNED MESSAGE.

Unlock returned immediately without doing anything (presumably because I just unlocked it to do the sign request).

After this unlock the keybase pgp export -s seems to be working correctly however keybase ctl restart && keybase pgp export -s and it is broken again. Looks like this may be a bug in unlocking in this specific case, along with a confusing message. As a user, when I see 'passphrase' my mind immediately goes to the key's passphrase, especially when I have a mixed GPG/keybase workflow.

[incyclum]

I'd like to report on that confusion. I was confused too.

If you look at my graph that looks like mess because of the 6 different keys that I revoked (I thought there was a gpg passphrase bug - i was unable to use my keys). Until I understood that keybase passphrase and pgp passphrase were different things. I lost too much time on that issue.

EDIT: I nuked my account and started from scratch.

[ericslaw]

Agreed still confusing...

I use my keybase.io account pass_word_ to login to keybase.io website and to login to the keybase.app on my desktop. (kudos to showing the test-password dialog upon logout!)

I use my keybase pgp key pass_phrase_ to encrypt/decrypt messages.

Having had to reset my key, I was expecting that I would need to re-prove myself via github gist but apparently not?

Yeah the password and passphrase can be the same (isn't that a BAD idea?), but if they are different, it is very hard to tell which one is needed when because the website and apps use the term keybase and passphrase each time. The terms 'key' and 'account' might be the differentiator but I'm not certain.