PSKeyBase Module
A PowerShell module for automating and enhancing the key-value store feature implemented in Keybase as well as integration of GnuPG.
Introduction
In addition to supporting the key-value store feature, the module supports Keybase file system, encrypted message signing, and console log management.
Either a command line applications (KV-Explorer), Web applications (PW-KVExplorer), or just executing module cmdlets in a terminal session can make use of the PSKeyBase module.
See KV-Explorer a CLI application in action.
See PW-KVExplorer a Web application in action.
In both of the above apps, hopefully you noticed that both NameSpace and Key where followed by a 12-digit value in parenthesises. Keybase treats these two attributes as meta data and they are not encrypted on the Keybase server.
PSKeyBase module assigns a random 12-digit value to each unique Namespace and Key created and this 12-digit value is what the Keybase server is storing.
Overview of PSKeyBase cmdlets
A cmdlet is simply a function defined in the module that can be excuted on the command line just like any other script by using it's function name.
Any cmdlet starting with Show- is designed for human interaction all other cmdlets are designed for programmatic interaction.
To get help on any of the cmdlets
PS> Get-Help Get-PSKEntryValue -full
PS> Get-Help Get-PSKEntryValue -ExamplesKey-Value store cmdlets
| Alias | cmdlet | Description | |||
|---|---|---|---|---|---|
| ---------------------------------------- | -------------------------------------------------------- | ||||
| KV-Explorer | Show-PSKNameSpaceHash | Displays existing namespace/key pairs in a Grid View. Select an entry to perform CRUD operations | |||
| Get-PSKNameSpaces | returns an object containing the namespaces in use. Not decoded. | ||||
| Get-PSKentryKeys | returns an object containing the namespace/key pairs. | ||||
| Get-PSKEntryValue | returns an object containing the value of a specified namespace/key pair. | ||||
| Show-PSKEntryValue | Displays the value of a specified namespace/key pair in a Grid View. | ||||
| Set-PSKEntryValue | Creates/Updates the value of a specified namespace/key pair. | ||||
| Remove-PSKentryKey | Deletes key/value pair in a specified namespace. | ||||
| Set-PKSConfiguration | Create/Update the configuration file. | ||||
Decoding Namespace and Key attributes
Since the Namespace and Key attributes are stored in Keybase as a random 12-digit value, there needs to be a method to covert the 12-digit value to human readable form.
There are 2 or more files used to maintain 12-digit value to attribute relationship.
The file, KBnamespace.xml is stored in the /keybase/private/<keybaseID> folder. When the client makes changes the data is updated locally and synch'ed with the above keybase folder. Synchronization with the Keybase filesystem is the default, but can be overriden by changing the configuration file. See Set-PSKConfiguration.
For teams the file, KBnamespace-teamname.xml is stored in the /keybase/team/<teamname> folder.
The local copy of the these files is stored in the module root path, as well.
If you are using multiple KeyBase clients on different workstations, the data presented will be the same because the clients populate the hashtable from files that are maintained in the KeyBase filesystem.
FileSystem cmdlets
| Alias | cmdlet | Description | |||
|---|---|---|---|---|---|
| ---------------------------------------- | -------------------------------------------------------- | ||||
| KB-Explorer | Show-PKSFileSystem | Displays folders and files in a Grid View | |||
| Get-PKSCapacity | returns available capacity in the Keybase filesystem | ||||
| Show-PKSCapacity | Outputs KeyBase filesytem capacity metrics | ||||
| Get-PKSFileSystem | returns an object containing folders and files | ||||
Console Log History cmdlets
The PSReadline module is by default installed with PowerShell and logs all command execution in a log history file. If you are entering sensitive information into a terminal session in clear text, this information is being recorded.
| Alias | cmdlet | Description | |||
|---|---|---|---|---|---|
| ----------------------------------------- | --------------------------------------------------------- | ||||
| KB-Bye | Clear-PSKConsole | Removes the PSReadline console log and exits the session | |||
| KB-Console | Get-PSKConsole | Returns or displays current console log records | |||
Message encryption and signing cmdlets
| Alias | cmdlet | Description | |||
|---|---|---|---|---|---|
| ----------------------------------------- | ------------------------------------------------------ | ||||
| KV-Encode | Set-PSKSignedValue | Encrypts and signs a KV store value | |||
| KV-Decode | Show-PSKSignedValue | Decrypts and verifies the signature of a KV store value | |||
| KB-Encode | Set-PSKEncodeMessage | Encrypts and signs a message string or file | |||
| KB-Decode | Show-PSKEncodeMessage | Decrypts and verifies the signature of a message or file | |||
Validating a login use case
Logging to a Web Server will require the following steps.
KV-Encode -entryKey Pode9001 -namespace Web -Team ShareTeamAfter KV-Encode completes the clipboard contains the encrypted KV store value and the signature of the keybase account that acquired the KV store value.
In Web Server's Login user name field, the keybase account name is entered and in the password field the user enters ctrl-v to copy the contents of the clipboard into the field.
The Web Server then.
Verifies the contents of password field was signed by the keybase account and that the password is correct.
On successful validation, the Web Servers then sets a new password for the KV store entry.
For testing purpose, KV-Decode is executed to decrypt and display the value in the clipboard.
KV-Decode
Decrypted Value is: cV}9ZD07z2FuvY&:;CmgX\36).A!8?n4kKf+15yM Verified: Authored by cadayton (you) Other cmdlets
| cmdlet | Description | |
|---|---|---|
| --------------------- | ---------------------------------------------- | |
| Add-PSKEncryption | Encrypts a specified file or all files in a specified directory using GnuPG | |
| Remove-PSKEncryption | Decrypts a specified file or all files in a specified directory using GnuPG | |
| Set-PSKPassPhrase | Return a 20 character random token value | |
| Test-PSKPrivilege | Returns true if the current process is running with elevated privilege | |
| Install-PSKGnuPg | Installs the GNU Privacy Guard application for Windows or Linux |
Add-PSKEncryption
PS> Add-PSKEncryption -FolderPath test.log
OutPut:
NameSpace Team entryKey Revison
-------- ---- -------- -------
TOOLAH-File (749e6f001f41) dayton,dayton test.log (68a941536733) 1Encrypt a file within the current working directory and store the decryption token in the KeyBase KV store.
After the file is successfully encrypted, the uncrypted version is removed.
A random decryption token is generated. (Default 20 characters)
The KVstore namespace value will be <hostname>-File and the key will be test.log
as shown in the command output. If the contents of a directory is encrypted, the namespace value will be **<hostname-folder> and the Key will the directory path.
On version 1.0.8, -NoKB option bypasses the need for the Keybase client and optionally prompts for a manual passphrase input.
Remove-PSKEncryption
PS> Remove-PSKEncryption -FolderPath test.log.gpg
Output:
Decrypting C:\myfolder\test.log.gpg to C:\myfolder\test.log (Y or N) : Y
KV test.log (b388d70f1c63) removed in NameSpace: TOOLAH-File (6ed05cb2d822)Prompts for confirmation to decrypt the file and then retrieves the decryption token from the Keybase KV store unless the -NoKB option is set.
Using the -NoKB options requires manual input of the decrypt token
The encrypted file, test.log.gpg is removed.
If the option, -Keep was used above then the encrypted file will not be removed.
Installation and Setup
Expand the links below to see a list of dependenices and how to download and install.
Download and Install PowerShell Core
Download and Install Keybase client
KeyBase uses public key cryptography to protect your chats, files, git repositories, and key-value store from prying eyes.
Download and Install PSKeyBase module
The default module path on Linux is $HOME/.local/share/powershell/Modules.
Execute this command to list the current defined modules paths:
PS> $env:PSModulePathUnzip the contents of the downloaded zip file
Create a sub-directory named PSKeyBase in the default module path directory.
Copy the unzipped content to the PSKeyBase directory path just created.
Execute this command below in a new Terminal session to validate PSKeyBase module is functional.
PS> Get-Command -module PSKeyBase
It should produce output similar to the followiing.
CommandType Name Version Source
---------- ---- ------- ------
Function Clear-PSKConsole 1.0.8 PSKeyBase
Function Get-PSKCapacity 1.0.8 PSKeyBase
Function Get-PSKConsole 1.0.8 PSKeyBase
Function Get-PSKentryKeys 1.0.8 PSKeyBase
Function Get-PSKEntryValue 1.0.8 PSKeyBase
Function Get-PSKFileSystem 1.0.8 PSKeyBase
Function Get-PSKNameSpaces 1.0.8 PSKeyBase
Function Install-PSKGnuPg 1.0.8 PSKeyBase
Function Remove-PSKEncryption 1.0.8 PSKeyBase
Function Remove-PSKentryKey 1.0.8 PSKeyBaseThe final step is to create the configuraton file for your environment by executing the cmdlet.
Set-PKSConfigurationThis command will update the file, PSKeyBase-cfg.xml located in the module root folder.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PSKeyBase>
<Debug>0</Debug>
<KEYBASE_BIN>/usr/bin/keybase</KEYBASE_BIN> # binary path to keybase client
<KEYBASE_NS>default namespace value</KEYBASE_NS> # Default namespace to use
<KEYBASE_TM>yourhandle,yourhandle</KEYBASE_TM> # Your private team value
<KEYBASE_FP>$HOME/.local/share/powershell/Modules/PSKeyBase</KEYBASE_FP>
<KEYBASE_SYN>sync</KEYBASE_SYN>
</PSKeyBase>| Version | Date | Whom | Notes | |
|---|---|---|---|---|
| 1.0.8 | 2025-02-17 | cadayton | Add-PSKEncryption -NoKB option no KeyBase client needed. Prompt to set passphrase | |
| 1.0.7 | 2023-02-07 | cadayton | -keep option on Remove-PSKEncryption will surpress confirmation prompt | |
| 1.0.6 | 2022-05-11 | cadayton | Added Web interface using Pode.Web for KV-Explorer feature |