This post was originally published on February 10, 2017.
Your Facebook account is valuable. It contains private chats, a list of your personal connections, and, if you use the Messenger app to send money, could even be linked to your bank account.
Two-factor authentication will help protect your account, but there’s a new feature that acts as even stronger protection: OpenPGP (GPG or PGP) encrypted notifications.
What is PGP encryption and why doesn’t everyone use it?
PGP and its open source implementation, OpenPGP, are the gold standard in encryption protocols and both are well established and audited.
Unfortunately, the protocols have failed to gain mainstream acceptance. Possibly because OpenPGP is widely criticized for its drawbacks, notably a steep learning curve and a lack of perfect forwarding secrecy.
Still, PGP is an excellent way to secure your data, and Facebook’s new encrypted notifications is a perfect starting place for beginners wishing to up their online defenses.
Here’s how to beef up your Facebook security in 3 easy steps:
1. Generate your unique PGP key
First up, create a PGP key from this list of recommended PGP clients. A key of at least 2048 bits of length is recommended.
Associate your new PGP key with the email address you use for Facebook, then set an expiration date. Create a revocation certificate immediately, in case your key gets lost or stolen.
2. Upload your PGP key to Facebook
Under Facebook’s Settings go to the Security tab and navigate to Public Key (or use this direct link).
Go back to your PGP client and find your key, then choose to Export the Public Key.
Copy and paste the key into the field provided by Facebook (see below) and check the box labeled Use this Public Key.
Note, your public key will also be displayed on your profile, under Contact and Basic Info.
3. Use your PGP key to get encrypted notifications
Now, whenever you receive a notification from Facebook, it will be encrypted with your PGP key.
This means only you will be able to read your Facebook notifications. No one else, including your email provider or government, can see them. You can set the kind of notifications you would like to receive from Facebook here.
Encrypting your Facebook notifications preserves your privacy, but, more importantly, makes it much harder for anyone to attack your account by hijacking your email and requesting a password reset from Facebook.
Requesting a password reset to a compromised email account is a common way to hack a Facebook profile. But anyone who tries this method to access a Facebook account secured with a PGP key would be greeted with an encrypted message like the one below.
Encrypt Facebook with a PGP key and protect yourself online
After importing your Facebook PGP, you can cross-check the fingerprint by visiting this post. In future, when you receive an email from Facebook, your email client will quickly tell you if the signature checks out (or doesn’t).
Encrypting your Facebook emails also has one other advantage. As all messages are cryptographically signed, it’s easy to tell which are legit Facebook messages, and which are phishing mail.
Remember: Stay safe online! Always use protection!