As an interlude in the two-part series on Keybase, I’m going to briefly discuss a brand new feature on Facebook: support for email encryption and public keys.

See Getting to First Keybase: Part One for a brief introduction to public-key cryptography.

You can now add your public PGP key as part of your contact information on Facebook. If you do so, you can choose to have Facebook encrypt all emails it sends to you, using your public key for the encryption. That means that only you can read the contents of those emails. In other words, even if someone can access your email account, they can’t get access to notifications about your friends’ activity. They also can’t read emails Facebook sends to you about login attempts, password resets and other administrative tasks you perform that you might not want a malicious user to know about.

Facebook will also cryptographically sign the messages they send, further strengthening their authenticity—this gives you a strong indication that a message has actually been sent by Facebook and not an imposter.


As always, the only thing that is proven by a signed message is that the sender has access to the private key used to sign the message. It does not necessarily mean that they are the owner of that private key. If the owner is careful in protecting their private key, however, it is likely that the message is signed by the key owner. It is fairly probable that Facebook can protect their private key, but it's not guaranteed.

These measures only apply to emails sent to you from Facebook. They do not apply to chat messages or other Facebook-related forms of communication, and not with parties other than Facebook. It’s almost two years since Facebook made encrypted connections over TLS the default way of connecting, but you should still consider all Facebook chat sessions and other activity semi-public.

However, while getting encrypted emails from Facebook is nice—especially if you’re actually getting notifications emailed to you—that’s not the key (pun not intended) point here. The reason why this is a big deal, in my opinion, is that it is yet another step in bringing public keys into the open. We’ll get back to this in part two of our Keybase series, which is not yet published. More easily accessible public keys means a lower threshold for actually using cryptography in our communication. Posting your public key in multiple places also means that an adversary would have to change the public key in more places in order to replace your key with their own. If your friends start using PGP, they can post their public keys on Facebook so you can easily access their key if you need to send a confidential message.

Finally, by enabling this, Facebook sets an example to other service providers, stating that end-to-end encryption beyond TLS should at least be an option, if not the default. As consumers, we should show that we want this and start using this feature right away.

The thing I miss so far is that while you can post your public key, you don’t post a proof of access to your private key, like Keybase will help you do on many other sites. In other words, you don’t prove that the Facebook account and the encryption key really belong to you—which may or may not be a good thing. Of course, you could manually post a proof, but that takes effort and means that few will do it.

Facebook deserves kudos for taking this important step in ensuring our privacy online. Hopefully other mainstream sites will follow suit, and then privacy will be the default—like it should be.

See also


Cryptography is a very complex field. I am just an amateur. Some things I write may be extreme simplifications; other things may simply be wrong. Please let me know if you find any errors or omissions.