This post was originally published on February 10, 2017.
Your Facebook account is valuable. It contains private chats, a list of your personal connections, and, if you use the Messenger app to send money, could even be linked to your bank account.
Two-factor authentication will help protect your account, but there’s a new feature that acts as even stronger protection: OpenPGP (GPG or PGP) encrypted notifications.
What is PGP encryption and why doesn’t everyone use it?
PGP and its open source implementation, OpenPGP, are the gold standard in encryption protocols and both are well established and audited.
Unfortunately, the protocols have failed to gain mainstream acceptance. Possibly because OpenPGP is widely criticized for its drawbacks, notably a steep learning curve and a lack of perfect forwarding secrecy.
Still, PGP is an excellent way to secure your data, and Facebook’s new encrypted notifications is a perfect starting place for beginners wishing to up their online defenses.
Here’s how to beef up your Facebook security in 3 easy steps:
1. Generate your unique PGP key
First up, create a PGP key from this list of recommended PGP clients. A key of at least 2048 bits of length is recommended.
Associate your new PGP key with the email address you use for Facebook, then set an expiration date. Create a revocation certificate immediately, in case your key gets lost or stolen.
2. Upload your PGP key to Facebook
Under Facebook’s Settings go to the Security tab and navigate to Public Key (or use this direct link).
Go back to your PGP client and find your key, then choose to Export the Public Key.
Copy and paste the key into the field provided by Facebook (see below) and check the box labeled Use this Public Key.
Note, your public key will also be displayed on your profile, under Contact and Basic Info.
3. Use your PGP key to get encrypted notifications
Now, whenever you receive a notification from Facebook, it will be encrypted with your PGP key.
This means only you will be able to read your Facebook notifications. No one else, including your email provider or government, can see them. You can set the kind of notifications you would like to receive from Facebook here.
Encrypting your Facebook notifications preserves your privacy, but, more importantly, makes it much harder for anyone to attack your account by hijacking your email and requesting a password reset from Facebook.
Requesting a password reset to a compromised email account is a common way to hack a Facebook profile. But anyone who tries this method to access a Facebook account secured with a PGP key would be greeted with an encrypted message like the one below.
Encrypt Facebook with a PGP key and protect yourself online
After importing your Facebook PGP, you can cross-check the fingerprint by visiting this post. In future, when you receive an email from Facebook, your email client will quickly tell you if the signature checks out (or doesn’t).
Encrypting your Facebook emails also has one other advantage. As all messages are cryptographically signed, it’s easy to tell which are legit Facebook messages, and which are phishing mail.
Remember: Stay safe online! Always use protection!
Comments
This doesn’t work (or at least not at the moment.) Facebook sends the encrypted email and I’m able to decode it, but I’m not able to complete the process because the verification link in the email is invalid. Facebook’s entire security apparatus is woefully inadequate and unreliable.
Hallo,
tolle Sache.
Nur was ist wenn ein Hackerangriff bereits stattgefunden hat das PW geändert wurde und der Hacker eine PGP Verschlüsselung auf Facebook eingerichtet hat? Ohne den private Key kann der eigentliche Profilinhaber nun die Mails nicht mehr entschlüsseln bzw. das Passwort zurück setzen, richtig?
Yeah, the major flaw in this is it enables hackers to completely lock you out of your account. Once they take it over, they add PGP Encryption, and now the account recovery codes that Facebook sends are encrypted. This was not well thought out by Facebook.
Yeah it happened to me 2 weeks ago. now still can’t retrieve my fb account.
Looking for solution on encryption that i found this page and now understand about facebook email encryption. kind of too late eh?
PGP with facebook might be a nice idea. But if you’re hacked and the hacker activates it, there seems to be no way to regain access to your account because facebook didn’t take this case into account. Every e-mail from facebook will be encrypted, you can’t do anything and a support for this case is simple nonexistent.
Hey I’m so happy I found this info, but I’m kinda stuck just yesterday I had to go purchase a while new phone make a whole new Gmail account hey a new number EVERYTHING bc someone hacked my stuff and bc of this I can’t hey into my Facebook account bc I Forney my password And can’t even reset it bc I can’t get into my old Gmail account soooo is there a way I can still use this key to get into my original Facebook
I noticed this was updated in 2021. Just an additional information:
As of 2021-09-09, Facebook still doesn’t support ed25519. They only accept rsa2048 (I haven’t tested if they accept rsa4096). It seems that they have completely forgotten about this important feature in favor of aesthetic updates (which is probably not surprising).
Nice.
Are there any other websites that offer this functionality or how can I search for them?
You will also need to check a signature from Facebook or as far as I can see you would be vulnerable to phishing via this route if your public key was available to anyone other than Facebook (or if Facebook’s servers were compromised).