Ref Arch setup: Why do you need a Keybase username or a PGP key?
A customer asked: > Could you please explain why you request either a Keybase username with public PGP key attached, or an exported base64 encoded PGP key from a customer when they are setting up their Ref Arch form for deployment? Also, why does the example demonstrate a different value in the `Username` and the `PGPKey` field? ``` # - Username: "grunty" # Email: "grunty@gruntwork.io" # PGPKey: "keybase:gruntwork" ```
I can see how that would be confusing. The example is attempting to demonstrate that the username you desire for your IAM user is not dependent upon the Keybase username you want to fetch a public PGP key from. In other words, you could have a username of `apple` and your PGPKey could be `keybase:anteater`, if that were indeed the correct Keybase profile that had your public PGP key attached to it. The format of keybase:username is something we have used in the past to fetch Keybase profiles and use their associated keys, which explains why you've not seen it in the wild before. At the end of the day, the reason we need a key that you control is so that we can encrypt the password that AWS returns for your new IAM Admin user in the security account. For that purpose, we can either: 1. Encrypt your password to your Keybase public PGP key so that you can decrypt it when your Ref Arch is delivered, and use it to log into your security account 2. Encrypt your password to your base64 encoded PGP key, for the same purpose. Hope that is helpful!