KeySync: Syncing Trusted Identities

KeySyncPrivacy and security software like OTR encryption for chat and GnuPG for email and files all create digital identities that we can mark as trusted through a verification process. When using this software, each app needs completely new security identities that are separate from any existing identities used by the other apps. Then again, mobile software needs it own versions of these identity files. When setting up ChatSecure on a mobile device, all of the trust information from existing chat apps like Adium or Pidgin also needs to be converted and transferred so that ChatSecure has the same trusted identities. Or when switching from Pidgin to Jitsi for instant messaging, the trust information needs to be converted and synced so the trust information is not lost.

This is where KeySync comes in. KeySync reads and writes many different formats of OTR chat apps and converts between them. It also makes it easy to sync the trust information to your Android device for use with ChatSecure. There is also some exploratory support for syncing identities between OTR and OpenPGP via GnuPG support in KeySync.

How To Sync To ChatSecure

To sync between ChatSecure and your desktop apps, First plug in your phone or device
via USB. Start KeySync and it should automatically detect your device. If KeySync cannot find your device, it will save the file for you to manually copy the otr_keystore.ofcaes file over to your device’s SD Card, where ChatSecure looks for it. Once the file is in place on your device, start ChatSecure. In ChatSecure, go to the Accounts, then select Activate KeySync from the menu. This will guide you to scan the QRCode that KeySync shows you in order to complete the sync.

The otr_keystore.ofcaes file is encrypted to prevent your private information from leaking out. That QRCode is the password to your keystore, so do not share it with anyone. Also, the otr_keystore.ofcaes file is only intended for use in this sync procedure. Do not email it or send it anywhere over the internet!


This is beta software, do not rely on it for strong identity verification. It is unlikely to mess up so bad as to produce compromised private keys, but anything is possible. Also, keep in mind that program is handling your private OTR keys, so make sure that you don’t copy, send or email the `otr_keystore.ofcaes` file somewhere nsafe. All that said, testing and feedback is greatly appreciated, so we can get it to the point where we can trust it.

Reporting Bugs

Please report any bugs or issues that you have with this app! We want to hear from you, no need to worry about technical details or language skills. Help us improve this software by filing bug reports about any problem that you encounter. Feature requests and patches are also welcome!


  • WindowsWindows executable
    • Download and install OpenSSL: Win32OpenSSL_Light-1_0_1f.exe
    • When prompted install into the “Windows system directory”
    • Note: The prompt asking for a donation will go to the company that produces OpenSSL installers for Windows, not The Guardian Project.
    • If you get an error when trying to install OpenSSL, you probably need in stall the Visual C++ 2008 Redistributables from Microsoft.
    • Download KeySync – no installation required: KeySync-0.2.exe
      • detached gpg signature
      • MD5: 1fb7a5ec050d03f59104a41494c559fd
      • SHA256: 422fd0ddb6d85a6f509a1c9a868ce87437af7ac895ba8c4fa7f366d83114be07
  • Mac OS XMac OS X (10.6 or newer, 64-bit only):
    • detached gpg signature
    • MD5: f6a1744a783d1cc5dc3070e1a16d79fd
    • SHA256: 429dc303fb1d2673b953a2543b0e168f0410ce1cd14d4167f0dbf888fdf162d0
  • UbuntuUbuntu, Linux Mint, etc. Run this in the Terminal to add our PPA to your package sources. You only need to do this once, you’ll get updated versions automatically once this is complete (fingerprint: F50E ADDD 2234 F563):
    sudo add-apt-repository ppa:guardianproject/ppa
    sudo apt-get update
    sudo apt-get install keysync
  • FedoraFedora 17, 18, 19: Run this in your Terminal to add our repository to your package sources. You only need to do this once, you’ll get updated versions automatically once this is complete (fingerprint: AC38 BED1 E879 79EA FD54):
    source /etc/os-release
    sudo wget${VERSION_ID}/security:guardianproject.repo -O /etc/yum.repos.d/security:guardianproject.repo
    sudo yum install keysync
  • DebianDebian: included in the official repos. For wheezy, get it from backports:
    apt-get -t wheezy-backports install keysync
  • Arch LinuxArch Linux: included in the AUR. Please vote for it so it can be included in the official community repository.
  • Python pypiAny Platform with Python, install via pypi (see the special instructions for Windows)
    pip install keysync


Known Issues

See the KeySync Roadmap for our development plan. Here are some notable known issues:

  • does not handle multiple keys/fingerprints for a given account (#1868)
  • GUI only syncs to ChatSecure (full two-way sync is planned) (#1968)
  • no way to handle conflicting private keys for an account (#1963)
  • no translations, only in English (#2170)
  • View all open issues

35 thoughts on “KeySync: Syncing Trusted Identities

  1. Even in the 1st world context, mobile puts big barriers on this. The best I have so far is side-by-side running of old device and new, then signing new keys from old device, and sending signatures over wifi. With limited key re-use and multiple apps this is pain.

    1. You are describing the exact issues that we’re trying to tackle with KeySync! Please try it out and let us know how it works for you.

    1. Oops, sorry, the link was old, I just fixed it. You should download KeySync-0.2.exe, KeySync-0.2.0beta3.exe is the old release. Try the download link again please

    1. Its working for me, perhaps you haven’t downloaded Abel’s key (0x97D05003DA731A17), which signed it? Please email with more info and we can help you get it ironed out.

      Here’s what I did:

      $ wget
      $ wget
      $ gpg --verify KeySync-0.2.exe.asc 
      gpg: Signature made Sat 26 Oct 2013 11:46:58 AM EDT using RSA key ID 7E6D2A54
      gpg: Good signature from "Abel Luck (long-term offline master) <>"
      gpg:                 aka "Abel Luck (long-term offline master) <>"
  2. Hi

    It seems because the Abel Luck GPG key contains revoked certs that have expired, that it’s impossible for me to set it as Trusted, at least with Kleopatra, as it gives me an error about the certificate having expired.

    It would have been helpful if you’d posted the key ID and fingerprint, along with a command to download the key with GPG, in the article as well so that we can verify the key once imported.

    1. Yes, we’d like to support all platforms. If someone puts together an official port/pkg for FreeBSD or any OS, please let us know and we’ll add it to this page.

  3. I am using keysync 0.2-1 from the AUR (although it says 0.1 with the version-parameter) like follows:
    > keysync -i pidgin -o chatsecure

    It will throw the following error if your otr.private_key-file contains more than five private keys:
    > File “/usr/bin/keysync”, line 110, in
    > main()
    > File “/usr/bin/keysync”, line 87, in main
    > otrapps.util.merge_keydicts(keydict, properties.parse())
    > File “/usr/lib/python2.7/site-packages/otrapps/”, line 54, in parse
    > keydict = OtrPrivateKeys.parse(kf)
    > File “/usr/lib/python2.7/site-packages/otrapps/”, line 81, in parse
    > name, resource = element[1].split(‘/’)

    1. We welcome all contributions to support any OTR-enabled chat app. If Psi’s OTR support is based on libotr, then it should be quite easy to add support to it.

      Adium has millions of users, so its hard to call it exotic. Gajim is far from obsolete though it has a small user base. Gajim piqued our interest due to its work on adding clean, usable, security features. Currently, only importing public key fingerprints is supported from Gajim. It uses the same file format as libotr apps like Pidgin and Adium, so it was quite easy to do.

  4. Hi, guys.

    Thanks for your work on keysync. I don’t know whether this is the place to ask the dumbest of all possible newbie questions, but I’ll risk in and live with the ridicule if I was gravely mistaken.

    I’ve downloaded and run the keysync program (on Linux, couldn’t get it to work in Windows somehow … maybe it’s just my phone, since Samsung has become rather a bit of a turd in terms of what it designs, builds, and then proceeds to sell) and it all seems to work just perfectly except that … it doesn’t? 😛

    I place the otr_keystore.ofcaes on the root of phones filesystem as instructed, the “Start Keysync” menu item in Chatsecure finds it just fine, asks for the QR code and scans it just fine, and what happens next is I go online and find that my OTR fingerprint is nothing like the one I just imported?

    Despite all evidence to the contrary, I maintain a self-image among which features there is a stubborn belief that I’m just not this stupid, and yet … I seem to have gotten all the parts assembled but they just don’t produce the outcome I expected. Any idea how I might meaningfully troubleshoot what might be wrong?

    1. Yeah, that is a big lack. We have that full sync planned out, but not implemented. We’d be happy to help anyone who wants to take this on. We now have OTRDATA file transfer to build upon.

  5. Hello,

    I’m using now ChatSecure (before that, it was Xabber). It’s really great and is from now on my favourite app. On my computer (Windows) I’m using Jitsi.

    I wanted to use KeySync:
    1) Starting KeySync
    2) Choosing Windows App -> Jitsi
    But: Nothing happens!

    The path don’t change, but I’ve choosen “Jitsi” and of course none of the path I entered (I tried a lot of)aktivated the OK button.

    What could be the reason?

    I’d be glad if anybody could help me.

    Thank you,

  6. States: “It also makes it easy to sync the trust information to your Android device for use with ChatSecure” is there iOS support?

    I have:
    iPhone 5 iOS 7 (7.0.6)
    iPad 2 iOS 7 (7.0.4)
    Both are Jailbroken with SSH Access

    Have ChatSecure iOS App version 2.2.4

    Running Jitsi Client on:

    PC – 2.4
    OSX – 2.4

    Does anyone know the path to import the otr_keystore.ofcaes file to? Will that work?

  7. When installing keysync on ubuntu 12.04 LTS, I get this error:
    “The following packages have unmet dependencies:
    keysync : Depends: python-beautifulsoup4 but it is not installable”

    I chceked and I have both python-beautifulsoup and python-bs4 already installed. I also checked synaptic and I don’t have any broken packages. Any suggestions?

  8. Any news on when the “Activate KeySync” option will return to ChatSecure? The default behaviour of keysync isn’t much use without it!

  9. It seems OpenSSL version changed so the URL is giving Error 404. I think it should be better to put OpenSSL page link and recommend which version to use (e.g.: Win32 OpenSSL v1.0.1j Light at the time of this post)
    Also does it has to be 32-bit or can it be the 64-bit OpenSSL?
    And last, the key used for KeySync 2.0 has been revoked.

  10. Downloaded Win32OpenSSL_Light-1_0_1j.exe — KeySync only sort of works, it complains about a file already existing [which it created itself just before complaining] it creates the required encrypted file and presents the QR code (password), and Chat Secure finds the file on sdcard storage okay and asks about reading the QR code which it accepts, but then nothing. Trying to transfer otr identity from Pidgin….

    1. Yeah, unfortunately, KeySync is not well supported on Windows. We need help to improve it and make new builds, we currently do not have any Windows developers!

    1. If you use the keysync command line tool, you can sync from the ChatSecure file to the desktop, then run the sync again to the other device.

  11. I like the idea a lot – but I use “Conversations” on Android and some friends use “xabber” – would it be possible to add key sync functions for these mobile clients too – as they are open source too…?!?

Leave a Reply

Your email address will not be published. Required fields are marked *