The tool for this that everyone I know uses is Magic Wormhole. Wormhole has a more straightforward security model and is more thoughtfully designed: it uses a PAKE and relies on out-of-band secret sharing, rather than attempting a registry of "verified" public keys.<p>You should probably just use Wormhole.<p><pre><code> pip install magic-wormhole</code></pre>
I made something similar, but the payload gets encrypted with the users ssh rsa key instead of pgp (that not many use):<p><pre><code> ./sshencdec.sh -p <(curl -sf "https://github.com/S2-.keys" | \
grep ssh-rsa | tail -n1) < plain-text-file.txt
</code></pre>
It's just a simple bash script really, but it works, and almost everyone has a github account and an ssh key set up, so it works out of the box with most developers.<p><a href="https://github.com/S2-/sshencdec" rel="nofollow">https://github.com/S2-/sshencdec</a>
To be honest this just seems like an insecure version of Keybase.<p>The key thing with Keybase is that it cryptographically verifies your public keys against public statements published to accounts people know you by - eg your Twitter, Facebook, etc.<p>The difficult bit isn't encrypting and sending. The difficult bit is the original key exchange. Keybase has dealt with this without you having to trust Keybase itself.
> Fluidkeys automatically fetches keys based on the verified email address and encrypts the secret to the key.<p>Fetches from where? Public key servers?<p>Anybody can upload a key for you@your-company.com to a public key server.
Nice to see more solutions like these pop up.<p>Another great one is Magic Wormhole, which uses a parallel human-to-human channel to negotiate a secure machine-to-machine exchange:<p><a href="https://github.com/warner/magic-wormhole" rel="nofollow">https://github.com/warner/magic-wormhole</a>
I can see the attraction of the automation. We happen to use a simple script that builds a self-extracting shell script. Like (passphrase is 123):<p><pre><code> #!/bin/sh
gpg -d <<EOF
-----BEGIN PGP MESSAGE-----
jA0ECQMCnEJkjjuJ64/j0kYB4JiTGPazY81ZOn3Ph+zRRnXdtuqB3POPizEykpiZ
CT8p5SiJfXQagTLUCDpR3VCicPw4QirQoOhkLqmzRXS4EBPjkTla
=+soW
-----END PGP MESSAGE-----
EOF
</code></pre>
Then the receiver doesn't have to remember any commands.
Nicely done. One nitpick would be that initial peer key discovery looks a bit iffy. Do I understand correctly that fk fetches it from a key registry that is hosted by you?<p>Is a self-hosted version of the same possible?<p>Additionally, there should probably be<p>a) Some sort of "paranoid" mode whereby it would show me peer's key (in some form) so that I could, if really wanted, manually verify it.<p>b) An option to cache peer keys locally. I assume this is done already and that the local cache lookup is given a priority over the registry search. Correct?
Do the messages automatically get wiped?
Typically you don't want to keep the keys in your message boxes in case they get hacked in the future.<p>For this reason I use something like read then burn[1,2] for passwords.<p>[1] <a href="https://readthenburn.fnkr.net/" rel="nofollow">https://readthenburn.fnkr.net/</a>
[2] <a href="https://github.com/Tethik/burn-after-reading" rel="nofollow">https://github.com/Tethik/burn-after-reading</a>
Setup is nice ... just sent a message to the Squirrel. ;-)<p>Don't have much time now but just wanted to give this a quick +1, worth checking out.
Or use Piknik: <a href="https://github.com/jedisct1/piknik" rel="nofollow">https://github.com/jedisct1/piknik</a>