Facebook boosts notification email security with OpenPGP encryption


The next time someone tags you in a Facebook post, the social network can send you a super secret notification that not even the National Security Agency can read—at least as far as we know. On Monday, Facebook announced that you can now add an OpenPGP key to your Facebook profile.

When you do this, Facebook will also give you the option to enable encryption for email alerts. That means the next time you get an email notification from Facebook for a new tag, friend request, or, most importantly, a password reset, the message will be encrypted.

The social network isn't helping you generate your own key, but if you have one you can add it to your profile here. The new feature is rolling out over time so if you don't see it now check back over the next few days. It also only works on desktop browsers, but the company says it is working on a way to all you to manage your keys on mobile as well.

The addition of OpenPGP keys is the second major security-focused announcement from Facebook in recent months. In October, Facebook created a site on the Tor network allowing users to connect to Facebook with enhanced anonymity. Facebook's Tor site was notably also the first "darknet" site to earn its own SSL certificate.

Why this matters: It may seem like overkill to get an encrypted notification to let you know about a Facebook poke or when someone posts on your timeline. Security notifications, however, are another matter. If hackers got access to your email account and then tried to send a password reset for Facebook it wouldn't do them much good with encryption enabled. Unless the bad guy had your private OpenPGP key there would be no realistic way for them to read the encrypted message. 

Email encryption is also becoming a hot topic: Both Gmail and Yahoo plan on offering an OpenPGP in the near future.

How it works

Here's a quick primer on email encryption basics. To use OpenPGP you have to generate two keys: one private and one public. The private one you have to keep to yourself and never share it with anyone; it should also be locked down with a password that's hard to guess. The public key you share far and wide. Then, when someone wants to send you an encrypted message, their email program uses your public encryption key to scramble the message. When that happens, only someone who has the private key can de-scramble the message.

Hands on

To get started, follow the link to your profile referenced above or open your Facebook profile and click About > Contact and Basic info.


Facebook's text entry area for your public PGP key.

Under the contact information heading you should see an option that says + Add a public key. Click that option and a large text box appears. Copy and paste your complete public key into that box—from the first line with the dashes to the last line with the dashes.

If you want to encrypt your email alerts from Facebook, check the box below the text entry area that says "Use this public key to encrypt emails that Facebook sends to you?"

Finally, decide whether you want your public key displayed on your profile. You can choose to make it completely public to all Facebook users, only friends, only you, or only to any custom sharing lists you've made.

I would recommend making it public since the whole point of your public key is to make it available to the world. 

Once you've decided how you want to share your public key on your Facebook profile, click Save Changes and you're done.

Facebook will then display your public key fingerprint (basically a shorthand version of your key that programs can parse).

Finally, if you select the encrypted email notifications option, Facebook will send you an encrypted email that will include a link you must click to confirm you want to receive encrypted messages from Facebook.

That's it: Welcome to the wonderful world of encrypted email notifications from Facebook.

This story, "Facebook boosts notification email security with OpenPGP encryption" was originally published by PCWorld.