Keybase in CI: Secure software delivery without breaking your bank

I’ve been impressed by Keybase’s usability and security features as a hobby user. I have mostly utilized it for online identity verification as well as secure messaging and file sharing with friends and family. However, I frequently wondered why it isn’t more frequently taken into account for a variety of use scenarios, such as in the CI/CD pipeline.

Signing software in CI/CD

Signing software artifacts at build time can greatly enhance the overall security posture of an organization, here’s how:

1. By signing an artifact at build time, we can ensure that the artifact has not been tampered with or altered in any way after it was built. This helps to ensure the integrity and authenticity of the artifact, and can be used to detect and prevent malicious attacks such as supply chain attacks.
2. Signing the artifact at build time also provides a way to trace the origin of the artifact. This can be useful for troubleshooting and investigations in case of security incidents.
3. In addition, signing the artifacts at build time can help to identify the individual or organization who created the artifact, which can be useful for compliance and regulatory purposes.
4. By signing and verifying the artifacts at the time of delivery, we can ensure that only authorized parties have access to the artifact and it has not been tampered with during delivery.

Overall, signing software artifacts at build time is a best practice for enhancing the security posture of an organization and can help to prevent and detect malicious attacks, compliance and regulatory purposes.

In this article, we will be discussing the steps to create a signing key and paperkey to use in your CI/CD pipeline with Keybase. Keybase is a powerful tool that can be used to sign and verify software artifacts in a cost-efficient and secure way, making it a great solution for smaller to medium-scale companies. So, let’s get started!

1. You can download and install Keybase from the official website.
2. Generate a new paperkey to use for logging in to Keybase from CI/CD

3. Generate a new PGP key to digitally sign the software artifacts in CI/CD.

4. Github Action template to sign and verify an artifact and upload to S3.

Note that the sign command is using a `-d (detached)` option so that signature is not appended to the original source file. If your use case is ok with appending the signature to the source file, then consider dropping the detached option.

Keybase’s KVStore (250GB free)

The Keybase KVStore is a powerful yet underutilized tool for storing small blobs of sensitive data like configuration settings and API credentials. Its in-built KVStore is easy to use and provides a secure and cost-efficient solution for small blobs of data. The service’s API abstractions are well designed, and it supports multi-tenancy through the use of namespaces, making it easy to organize and manage sensitive data.

Let’s look at the below example to create, retrieve and delete a KV secret using Keybase CLI on a test namespace ns1

The Keybase KV store offers a unique versioning system for KV entries. All operations are incrementally versioned, and the KVStore intelligently does not display namespaces with null KV entries, as they reflect deleted entries. The team name attribute is noteworthy, as it allows for the creation of multiple teams and the invitation of users to those teams. In the example provided, the KV entries were created on the root user, but it is also possible to create them within Keybase teams.

Shortcomings

• The integration relies on basic authentication and lacks access controls, which could pose a security risk if the paperkey is exposed.
• Keybase does not currently support dynamic credentials, and PGP keys must be registered for use beforehand.
• There is no option to specify time-to-live (TTL) values when creating PGP keys.
• While the Keybase APIs for the KV store are useful, a CLI wrapper with commands such as keybase kvstore get <kv_entry> <namespace> would be much smoother experience for the users.
• There is a lack of documentation on API rate limits, making it unclear if the solution will scale as the business grows.
• There is a lack of audit-ability with the Keybase KV store, as there is no way to track when and who accessed or modified the secrets.

Highlights

• Simple to integrate and keeps data secure within the Keybase ecosystem.
• PGP key revocation is very simple which allows for flexibility to break the verification pipeline as soon as it is known that the key is compromised.
• Multi-tenancy via namespaces enable secret management for multiple teams within an organization.
• It’s easy to migrate from Keybase to production-grade tools like HashiCorp Vault, which also support namespaces on enterprise offerings.
• Even if the key is compromised, it has to happen from within the Keybase ecosystem, this allows for downstream services to be patched to not honor the public portion of the PGP keys which can block software deployment.

Should you use it?

Keybase offers a cost-efficient and secure solution for small to medium-scale companies in CI/CD pipelines. If you are just getting started and are not sure about your needs, Keybase can handle the heavy lifting for your organization. However, it does lack certain features like access controls, dynamic credentials, and audit-ability. Organizations in need of higher security and access control may want to consider alternative solutions in the long term.

Thanks for reading! If you found this article helpful, please consider buying me a coffee to support my work. Thanks again!