TL;DR: We don't recommend storing any other than keybase-generated secret keys in keybase local keychain.
Keybase.io is a service that according to their website "maps your identity to your public keys, and vice versa.". It is also doing other optional things such as an encrypted filesystem and synchronized key management. And key management is something we would like to discuss in this article.
Keybase.io features a Local Key Security (LKS) as follows:
Whenever a user stores a secret key on a device, it would be nice if she could encrypt that key with her passphrase, and if she changed her passphrase on any one of her machines, it would be reflected on the others.
We've developed a simple server-aided protocol to do so, in which a server-side mask is updated during a password change, so that encrypted device keys on offline clients will be decryptable with the new password. The server supplies this mask during decryption, but device keys are never exposed to the server, even in encrypted form.
One vulnerability of the password change scheme, is that it's possible to decrypt secret keys using an old password. If a user's password was compromised, and an attacker was also able to obtain the user's server-side mask, then that attacker would be able to decrypt the user's local keys even after the user did a password change.
The above texts are quoted from https://keybase.io/docs/crypto/local-key-security.
To be able to really decrypt user's local keychain you would need to have:
Say you have followed these steps:
But not implemented yet.
To prevent this, when decrypting keys, a device should notice that the current passphrase is newer than the one its keys were originally encrypted with. In that case it should generate an entirely new encryption key
As explained in the last section of https://keybase.io/docs/crypto/local-key-security.
Changing password doesn't help.
The local keychain is only as secure as the weakest password you have ever used to protect it.
If you want to publish your PGP public key, skip import to keychain:
keybase pgp select --no-import
This will only create a proof that you own the key and send the proof to server.
For the paranoid: The keychain is stored in a file `secretkeys.<your-keybase-nick>.mpack` somewhere in your Keybase installation path. It should stay untouched after uploading public key with the `--no-import` flag.