Tuesday 8 January 2019
Today we proudly announce Fluidkeys 0.3 😄
With Fluidkeys v0.3 you can send passwords, keys, tokens and personal data to team-mates using end-to-end encryption.
If you’re keen to get started, head to download.fluidkeys.com
From listening to engineering teams, we heard a number of different types of sensitive information with similar characteristics:
These are small bits of text, fairly short lived, with a potentially high impact if breached (like a $50,000 Amazon bill)
You’ve got stuff to do, you need to get this thing sent, what are you going to do?
The easy route is to throw it into Slack and hope they aren’t next week’s big data breach.
Maybe you could use a messaging app like WhatsApp or Signal. But that requires you know your team-mate’s number, which isn’t the norm for many teams. And WhatsApp is determined to back itself up to Google Drive, so it’ll probably end up there too.
You could use GPG, but can you remember the command? And do you have the other person’s public key? And are you confident that they’ll copy-paste the funny text correctly on their end?
$ gpg --armor --recipient email@example.com --encrypt -----BEGIN PGP MESSAGE----- hQEMA35uuyjbagYuAQf/eqfq3MCS96ZNNQeI7S3zGs7FiAIiQ7qU5Oa1Dz6/UizC pQnTHjoupyGChXeDz9XDdmWtTuvYArlnjdVJfySHWGDQ66mm/IUie0jsnTOss6P1 ...
You could put it in your shared password manager, but it’s a bit overkill since you only need to send it once, and sometimes you see a delay on shared items showing up.
With Fluidkeys you can send PGP-encrypted secrets directly from the command-line using your team-mate’s email address.
$ fk secret send firstname.lastname@example.org
When you install and set up Fluidkeys, you’re asked for your email address. Once you’ve verified it, others can send you secrets. You don’t need to manually exchange public keys.
Fluidkeys automatically fetches keys based on the verified email address and encrypts the secret to the key.
$ fk secret send email@example.com ▸ Found public key for firstname.lastname@example.org
We use our own server to store public keys and transmit encrypted secrets.
We’ve heard from a number of teams that it’s time consuming to set up new starters with PGP and we’ve worked hard on this.
It takes around 2 minutes for new users to install Fluidkeys, generate a PGP key, verify your email and start sending and receiving encrypted secrets.
Beware that Fluidkeys doesn’t implement its own storage of keys: it stores them in
gpg. If you delete a key from
gpg, there’s no copy in Fluidkeys. We don’t modify the
GNUPGHOME directory: we push and pull straight from your default
This is helpful if you use your keys for anything else like signing commits with
git or encrypted email with Thunderbird.
Those applications will use keys made by Fluidkeys, and Fluidkeys will keep them updated.
In order to be able to rotate your key automatically, Fluidkeys stores the password to your private key in your system keychain. You can see these by searching for “Fluidkeys”.
We chose not to use the public keyserver network until it supports deleting keys and cryptographic validation.
If you do want to upload to the public keyservers, make sure you automate it. Because Fluidkeys automatically rotates your encryption subkey every month, your key will quickly become out of sync with the keyservers. You could add cron task to upload your key regularly:
Edit your crontab by running
crontab -e and add this line:
@daily gpg --keyserver pool.sks-keyservers.net --send-key <email address>
On to business: head on over to download.fluidkeys.com to get started.
$ fk --help Fluidkeys 0.3.0 Configuration file: /home/paul/.config/fluidkeys/config.toml Usage: fk setup fk setup <email> fk secret send <recipient-email-address> fk secret receive fk key create fk key from-gpg fk key list fk key maintain [--dry-run] fk key maintain automatic [--cron-output] fk key upload Options: -h --help Show this screen --dry-run Don't change anything: only output what would happen --cron-output Only print output on errors
Please have a go and let us know how you get on!
We’re excited to hear from you :)
— Paul & Ian