I’ve talked extensively about email encryption and security. It’s no secret that I prefer Secure/Multipurpose Internet Mail Extensions (S/MIME) over Open Pretty Good Privacy (OpenPGP), in part because of the latter’s reliance on a failing Web of Trust. With that said, I’ve come across a feature in Facebook, of all places, that could be used to revive PGP’s reliability.
An Old Feature, but It’s Still News to Me
I think Facebook must have been pretty quiet about it, although the social media giant did issue a news release in 2015 when the feature went live. To help users feel safe and trust that their connections to Facebook remained secure, the social network began providing a means to allow people to add OpenPGP public keys to their profiles. This was intended to allow Facebook to send end-to-end encrypted notification emails to users, but it has much more far-reaching implications.
With or without enabling encrypted notifications, Facebook users can choose to share their PGP public key on their profile page. In this way, Facebook could easily become a new Web of Trust. No longer would you have to rely upon the validation information from keyservers, which is not at all reliable because it’s so cumbersome to use that many people ignore the feature altogether. Instead, you could just look up your contact on Facebook and find their public key that way.
Enabling the OpenPGP Public Key on Facebook
If you want to provide your OpenPGP public key on your profile, here’s how you go about it. Make sure you’re on a computer, for starters. I’m not sure this process is even possible on a mobile device, and if it is, it’s going to be far too cumbersome.
First, get to your Facebook settings by clicking the blue triangle right of the question mark in the upper right corner of the Facebook page. Then, click Settings.
Next, click on Security. You’ll see an option for Public Key. Click Edit beside that option to move on.
Now you’ll enter a screen where you can paste your OpenPGP public key. Go ahead and do so, and decide whether or not you want Facebook to send you encrypted email.I found the best way to input the public key was using the entire contents of the ASCII file you get when you export the key from your PGP certificate (usually using GPGSuite on a Mac). If you decide to let Facebook encrypt communications with you, make sure you keep reading through the end of this article – there’s a “gotcha” between that and Keychain Access that you might want to be aware of. After you’ve pasted in your public key and checked (or not) the checkbox to use the public key to encrypt notification emails to you, click on Save Changes.
You may receive an encrypted email from Facebook to confirm your public key’s validity. Follow the instructions within that email to make the below message go away.
Next: Displaying Your Public Key on Your Profile Page