Facebook boosts notification email security with OpenPGP encryption
By Ian Paul
PCWorldJun 1, 2015 6:15 am PDT
The next time someone tags you in a Facebook post, the social network can send you a super secret notification that not even the National Security Agency can read—at least as far as we know. On Monday, Facebook announced that you can now add an OpenPGP key to your Facebook profile.
When you do this, Facebook will also give you the option to enable encryption for email alerts. That means the next time you get an email notification from Facebook for a new tag, friend request, or, most importantly, a password reset, the message will be encrypted.
The social network isn’t helping you generate your own key, but if you have one you can add it to your profile here. The new feature is rolling out over time so if you don’t see it now check back over the next few days. It also only works on desktop browsers, but the company says it is working on a way to all you to manage your keys on mobile as well.
Why this matters: It may seem like overkill to get an encrypted notification to let you know about a Facebook poke or when someone posts on your timeline. Security notifications, however, are another matter. If hackers got access to your email account and then tried to send a password reset for Facebook it wouldn’t do them much good with encryption enabled. Unless the bad guy had your private OpenPGP key there would be no realistic way for them to read the encrypted message.
Email encryption is also becoming a hot topic: Both Gmail and Yahoo plan on offering an OpenPGP in the near future.
How it works
Here’s a quick primer on email encryption basics. To use OpenPGP you have to generate two keys: one private and one public. The private one you have to keep to yourself and never share it with anyone; it should also be locked down with a password that’s hard to guess. The public key you share far and wide. Then, when someone wants to send you an encrypted message, their email program uses your public encryption key to scramble the message. When that happens, only someone who has the private key can de-scramble the message.
To get started, follow the link to your profile referenced above or open your Facebook profile and click About > Contact and Basic info.
Under the contact information heading you should see an option that says + Add a public key. Click that option and a large text box appears. Copy and paste your complete public key into that box—from the first line with the dashes to the last line with the dashes.
If you want to encrypt your email alerts from Facebook, check the box below the text entry area that says “Use this public key to encrypt emails that Facebook sends to you?”
Finally, decide whether you want your public key displayed on your profile. You can choose to make it completely public to all Facebook users, only friends, only you, or only to any custom sharing lists you’ve made.
I would recommend making it public since the whole point of your public key is to make it available to the world.
Once you’ve decided how you want to share your public key on your Facebook profile, click Save Changes and you’re done.
Facebook will then display your public key fingerprint (basically a shorthand version of your key that programs can parse).
Finally, if you select the encrypted email notifications option, Facebook will send you an encrypted email that will include a link you must click to confirm you want to receive encrypted messages from Facebook.
That’s it: Welcome to the wonderful world of encrypted email notifications from Facebook.