From ec234a616b6e6fb5d9b70bc35a0dde4cb412cdb0 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Wed, 10 Jun 2026 10:25:14 -0400 Subject: [PATCH 01/24] e-mail -> email --- docs/admin/installation/email_alerts.rst | 6 +++--- docs/admin/installation/installation_overview.rst | 2 +- docs/includes/getting-support.txt | 2 +- docs/introduction/getting_support.rst | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/admin/installation/email_alerts.rst b/docs/admin/installation/email_alerts.rst index a0ce9ab9d..cd1797c8f 100644 --- a/docs/admin/installation/email_alerts.rst +++ b/docs/admin/installation/email_alerts.rst @@ -1,7 +1,7 @@ Prepare email accounts ====================== -SecureDrop sends different alerts by PGP-encrypted email. Before installing SecureDrop, you must select or prepare the e-mail accounts where you would like these alerts to be sent. In the case of OSSEC alerts (which you must set up), configuring an SMTP relay is also required. +SecureDrop sends different alerts by PGP-encrypted email. Before installing SecureDrop, you must select or prepare the email accounts where you would like these alerts to be sent. In the case of OSSEC alerts (which you must set up), configuring an SMTP relay is also required. .. _daily_journalist_alerts: @@ -90,8 +90,8 @@ solutions should be able to meet those requirements. The SMTP relay mail server hostname is often, but not always, different from the SASL domain, e.g. smtp.gmail.com and gmail.com. -The SMTP and SASL settings correspond to the *outgoing* e-mail address used to -send the alerts instead of where you're receiving them. If that e-mail +The SMTP and SASL settings correspond to the *outgoing* email address used to +send the alerts instead of where you're receiving them. If that email is ossec@news-org.com, the SASL Username would be ``ossec`` and the SASL Domain would be ``news-org.com``. diff --git a/docs/admin/installation/installation_overview.rst b/docs/admin/installation/installation_overview.rst index c894e977f..93299a17f 100644 --- a/docs/admin/installation/installation_overview.rst +++ b/docs/admin/installation/installation_overview.rst @@ -50,7 +50,7 @@ During this process, you'll set up at least four devices: A summary of the major steps is as follow: #. Acquire compatible hardware. -#. Prepare email accounts and GPG keys for alert e-mails. +#. Prepare email accounts and GPG keys for alert emails. #. Prepare an *Admin Workstation* laptop. #. Set up the KeePassXC password manager on the *Admin Workstation*. #. Install and configure the dedicated network firewall from the *Admin Workstation*. diff --git a/docs/includes/getting-support.txt b/docs/includes/getting-support.txt index c30d54891..df8b9700d 100644 --- a/docs/includes/getting-support.txt +++ b/docs/includes/getting-support.txt @@ -1,5 +1,5 @@ - If you are already in touch with us for support via Signal, please contact us there. -- If you would like to request support, please contact us by e-mail +- If you would like to request support, please contact us by email at securedrop@freedom.press (`PGP encrypted `__), or by using the (`Get Help with SecureDrop `__) contact form. - The Freedom of the Press Foundation offers training and priority support diff --git a/docs/introduction/getting_support.rst b/docs/introduction/getting_support.rst index 50567e316..b5b5acb42 100644 --- a/docs/introduction/getting_support.rst +++ b/docs/introduction/getting_support.rst @@ -9,7 +9,7 @@ SecureDrop instance, there are several support options available to you. Freedom of the Press Foundation offers direct :ref:`support via Signal `. -If you are unable to use Signal, you can always contact us by e-mail at securedrop@freedom.press (`PGP encrypted `__). +If you are unable to use Signal, you can always contact us by email at securedrop@freedom.press (`PGP encrypted `__). Additionally, there is also some level of :ref:`Community Support `. From d8fad708e1ed5f57da07d45cac47e467c36aa9c5 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Thu, 11 Jun 2026 09:44:54 -0400 Subject: [PATCH 02/24] remove all title case in headers --- .../admin/deployment/deployment_practices.rst | 4 +- .../getting_the_most_out_of_securedrop.rst | 16 ++--- .../deployment/https_source_interface.rst | 2 +- docs/admin/deployment/landing_page.rst | 26 ++++---- docs/admin/deployment/onboard_journalists.rst | 5 +- docs/admin/deployment/onion_name.rst | 14 ++-- .../deployment/sample_privacy_policy.rst | 12 ++-- docs/admin/deployment/ssh_over_local_net.rst | 4 +- docs/admin/deployment/tor_pow.rst | 2 +- docs/admin/deployment/whole_site_changes.rst | 2 +- docs/admin/deployment/yubikey_setup.rst | 8 +-- docs/admin/installation/apply_sdw.rst | 8 +-- .../installation/create_admin_account.rst | 2 +- docs/admin/installation/email_alerts.rst | 4 +- docs/admin/installation/firewall_opnsense.rst | 44 ++++++------- docs/admin/installation/firewall_pfsense.rst | 34 +++++----- .../installation/generate_submission_key.rst | 2 +- docs/admin/installation/hardware.rst | 21 +++--- docs/admin/installation/install.rst | 12 ++-- .../installation/installation_overview.rst | 10 +-- docs/admin/installation/intro_for_admins.rst | 18 +++--- docs/admin/installation/network_firewall.rst | 5 +- docs/admin/installation/passphrases.rst | 10 +-- docs/admin/installation/prepare_sdw.rst | 8 +-- docs/admin/installation/prepare_servers.rst | 28 ++++---- docs/admin/installation/provisioning_usb.rst | 2 +- docs/admin/installation/set_up_keepassxc.rst | 2 +- .../installation/test_the_installation.rst | 10 +-- docs/admin/maintenance/backup_and_restore.rst | 24 +++---- docs/admin/maintenance/bios_server.rst | 14 ++-- docs/admin/maintenance/decommission.rst | 4 +- .../maintenance/kernel_troubleshooting.rst | 14 ++-- docs/admin/maintenance/logging.rst | 6 +- docs/admin/maintenance/rebuild_admin.rst | 6 +- docs/admin/maintenance/upgrade_guide.rst | 2 +- docs/admin/migration/admin_migration.rst | 8 +-- docs/admin/migration/journalist_migration.rst | 2 +- docs/admin/migration/migration_overview.rst | 2 +- .../migration/removing_gpg_passphrase.rst | 2 +- docs/admin/reference/admin_interface.rst | 26 ++++---- docs/admin/reference/offboarding.rst | 10 +-- docs/admin/reference/securedrop_admin.rst | 6 +- docs/admin/reference/ssh_access.rst | 22 +++---- docs/admin/workstation_reference/backup.rst | 12 ++-- .../bios_workstation.rst | 6 +- .../managing_clipboard.rst | 2 +- .../troubleshooting_updates.rst | 2 +- docs/appendices/glossary.rst | 2 + docs/appendices/threat_model/dataflow.rst | 2 +- docs/appendices/threat_model/mitigations.rst | 42 ++++++------ docs/appendices/threat_model/threat_model.rst | 64 +++++++++---------- docs/appendices/training_schedule.rst | 14 ++-- docs/includes/backup-and-update-reminders.txt | 4 +- docs/index.rst | 4 +- docs/introduction/getting_support.rst | 4 +- docs/introduction/what_is_securedrop.rst | 28 ++++---- .../what_makes_securedrop_unique.rst | 12 ++-- docs/journalist/submissions.rst | 18 +++--- docs/source/after_you_submit.rst | 4 +- docs/source/before_you_submit.rst | 10 +-- docs/source/how_to_submit.rst | 4 +- docs/source/source.rst | 2 +- 62 files changed, 352 insertions(+), 347 deletions(-) diff --git a/docs/admin/deployment/deployment_practices.rst b/docs/admin/deployment/deployment_practices.rst index f9eb40426..7e96a0ba2 100644 --- a/docs/admin/deployment/deployment_practices.rst +++ b/docs/admin/deployment/deployment_practices.rst @@ -1,6 +1,6 @@ .. _Deployment: -Deployment Overview +Deployment overview =================== Once SecureDrop is installed on a news organization's servers, it's important @@ -21,7 +21,7 @@ The deployment tasks generally only need to be performed once. For tasks related to the upkeep and troubleshooting of your SecureDrop instance, we recommend reviewing :doc:`the maintenance documentation. <../maintenance/logging>` -Protecting the Security of the System +Protecting the security of the system ===================================== SecureDrop is only as secure as the environment that surrounds it. To keep diff --git a/docs/admin/deployment/getting_the_most_out_of_securedrop.rst b/docs/admin/deployment/getting_the_most_out_of_securedrop.rst index aa411e7a2..581f10a1f 100644 --- a/docs/admin/deployment/getting_the_most_out_of_securedrop.rst +++ b/docs/admin/deployment/getting_the_most_out_of_securedrop.rst @@ -1,4 +1,4 @@ -Promoting Your SecureDrop Instance +Promoting your SecureDrop instance ================================== At Freedom of the Press Foundation, we’ve found news organizations that get the @@ -10,7 +10,7 @@ it. So here are a few tips used by some of the news outlets that have seen the most success with SecureDrop. -Make a High Profile Announcement +Make a high profile announcement -------------------------------- Anytime you launch a SecureDrop, you’ll want to write an accompanying news story @@ -29,7 +29,7 @@ it will quickly be buried in other news after a couple of days. .. _`Wired`: https://www.wired.com/2017/04/new-way-securely-send-information-wired/ .. _`Washington Post`: https://www.washingtonpost.com/pr/wp/2017/01/31/qa-about-sharing-confidential-tips-with-the-washington-post/ -Provide a Clear Link on Your Homepage +Provide a clear link on your homepage ------------------------------------- Making your SecureDrop or secure tips page easy to find is one of the most important @@ -48,7 +48,7 @@ The Washington Post has a link on their front page for “how to share a tip sec Other news organizations put a little link in their footer, however, we’ve found that this is not as effective as putting it in a more prominent on your front page. -Provide Links at the Bottom of Your Articles +Provide links at the bottom of your articles -------------------------------------------- Another great way to remind potential sources know that they can use SecureDrop is @@ -57,7 +57,7 @@ uses a message like this: |Gizmodo Article Footer| -Create an Instructional Video on How to Access and Use Your SecureDrop +Create an instructional video on how to access and use your SecureDrop ---------------------------------------------------------------------- To better help potential sources visualize how SecureDrop works, several @@ -68,7 +68,7 @@ Some good examples include the `Toronto Globe and Mail`_, The Intercept, and .. _`Toronto Globe and Mail`: https://www.youtube.com/watch?v=oSW2wMWtAMM .. _`Lucy Parsons Labs`: https://www.youtube.com/watch?v=LkgN244ggzs -Regularly Share Your SecureDrop *Landing Page* on Social Media +Regularly share your SecureDrop *Landing Page* on social media -------------------------------------------------------------- The majority of adults in the United States now get their news from Facebook or @@ -80,7 +80,7 @@ great way of getting added attention to your SecureDrop. |New Yorker Tweet| -Target Potential Whistleblowers with Advertising +Target potential whistleblowers with advertising ------------------------------------------------ Facebook and Twitter also allow for targeted advertising to users in specific @@ -94,7 +94,7 @@ how it can be done. You can read about `how you can do the same thing here`_. .. _`tell on trump`: https://web.archive.org/web/20200926063152/https://specialprojectsdesk.com/tell-on-trump-1792401813 .. _`how you can do the same thing here`: https://freedom.press/news/we-targeted-securedrop-ad-potential-whistleblowers-trump-administration-you-can-too/ -Put an Advertisement in Your Physical Paper +Put an advertisement in your physical paper ------------------------------------------- Obviously this tip only applies to news outlets that also print a physical diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index a33905e5f..1fac33513 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -24,7 +24,7 @@ encryption and authentication via HTTPS: .. _`SecureDrop Directory`: https://securedrop.org/directory/ -Obtaining an HTTPS certificate for Onion URLs +Obtaining an HTTPS certificate for onion URLs --------------------------------------------- Digicert diff --git a/docs/admin/deployment/landing_page.rst b/docs/admin/deployment/landing_page.rst index 36d14570e..d087bebb1 100644 --- a/docs/admin/deployment/landing_page.rst +++ b/docs/admin/deployment/landing_page.rst @@ -19,7 +19,7 @@ your organization. implement minimum security requirements is sure to be noticed, and could undermine trust, discouraging possible sources. -*Landing Page* Content Suggestions +*Landing Page* content suggestions ---------------------------------- The content below presents sample text for the SecureDrop component of a news @@ -100,7 +100,7 @@ Do not discuss leaking or whistleblowing, even with trusted contacts. .. _The SecureDrop Directory: -The SecureDrop Directory +The SecureDrop directory ---------------------------------- SecureDrop `maintains a directory of instances that meet our strict guidelines. @@ -137,7 +137,7 @@ If you notice an increase in spam after being included in the directory, please let us know and we can remove your instance from the directory. -URL and Location +URL and location ---------------- Your *Landing Page* must be a path at your top-level domain, e.g. @@ -158,7 +158,7 @@ directive. .. warning:: Except for rare extenuating circumstances, this is a requirement for inclusion in the SecureDrop Directory -HTTPS Only (No Mixed Content) +HTTPS only (no mixed content) ----------------------------- HTTPS encryption is the number-one security requirement for your site's @@ -188,17 +188,17 @@ ever to be reached over HTTPS. .. warning:: This is a strict requirement for inclusion in the SecureDrop Directory -Perfect Forward Secrecy +Perfect forward secrecy ----------------------- -Perfect Forward Secrecy (PFS) is a property of encryption protocols that +Perfect forward secrecy (PFS) is a property of encryption protocols that ensures each SSL session has a unique key, meaning that if the key is compromised in the future it can't be used to decrypt previously recorded SSL sessions. You may need to talk to your CA (certificate authority) and CDN (content delivery network) for this, although our recommended configuration below provides forward secrecy. -SSL Certificate Recommendations +SSL certificate recommendations ------------------------------- Regardless of where you choose to purchase your SSL cert and which CA @@ -225,7 +225,7 @@ This will potentially leak information about sources to third parties, which can more easily be accessed by law enforcement agencies. Simply copy them to your server and serve them yourself to avoid this problem. -Do Not Use Third-Party Analytics, Tracking, or Advertising +Do not use third-party analytics, tracking, or advertising ---------------------------------------------------------- Most news websites, even those that are non-profits, use third-party analytics @@ -251,7 +251,7 @@ services intercept requests between a potential source and the SecureDrop .. _`track`: https://github.com/Synzvato/decentraleyes/wiki/Frequently-Asked-Questions -Do Not Hyperlink .onion Addresses +Do not hyperlink .onion addresses --------------------------------- Because a visitor to your *Landing Page* may not be using Tor Browser yet, clicking a link to your SecureDrop instance or to any other .onion address may @@ -275,7 +275,7 @@ text below to provide maximum clarity: :: .. warning:: This is a strict requirement for inclusion in the SecureDrop Directory -Avoid Direct Links to SecureDrop.org +Avoid direct links to securedrop.org ------------------------------------ We appreciate that you may want to link to `the SecureDrop website `__ @@ -292,7 +292,7 @@ plain text, without a hyperlink (as per the preceding section): .. warning:: This is a strict requirement for inclusion in the SecureDrop Directory -Apply Security Headers +Apply security headers ---------------------- Security headers give instructions to the web browser on how to handle @@ -339,7 +339,7 @@ If you intend to run nginx as your webserver instead, this will work: add_header Permissions-Policy "camera 'none'; display-capture 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none';"; -Additional Apache Configuration +Additional apache configuration ------------------------------- To enforce HTTPS/SSL always, you need to set up redirection within the @@ -439,7 +439,7 @@ In nginx, logging can be disabled by adding the following directives within the error_log /dev/null; -Further Security Considerations +Further security considerations ------------------------------- To guard your *Landing Page* against being modified by an attacker and diff --git a/docs/admin/deployment/onboard_journalists.rst b/docs/admin/deployment/onboard_journalists.rst index 643651a2d..b3526c16e 100644 --- a/docs/admin/deployment/onboard_journalists.rst +++ b/docs/admin/deployment/onboard_journalists.rst @@ -1,4 +1,4 @@ -Onboard Journalists +Onboard journalists =================== At this point, the only person who has access to the system is the @@ -20,6 +20,7 @@ can log in and access submissions. :start-after: .. _Adding Users: :end-before: .. _Passphrases_and_two-factor_resets: -Verify Journalist Setup +Verify journalist setup ----------------------- +.. TODO diff --git a/docs/admin/deployment/onion_name.rst b/docs/admin/deployment/onion_name.rst index 4e6e41a42..564f38ec6 100644 --- a/docs/admin/deployment/onion_name.rst +++ b/docs/admin/deployment/onion_name.rst @@ -1,7 +1,7 @@ -Getting An Onion Name for Your SecureDrop +Getting an onion name for your SecureDrop ----------------------------------------- -What Are Onion Names? +What are onion names? ^^^^^^^^^^^^^^^^^^^^^ Onion names are short, memorable addresses that visitors can use to access an @@ -20,7 +20,7 @@ The general format for a SecureDrop onion name is: ``.securedrop.tor.onion`` -How They Work +How they work ^^^^^^^^^^^^^ Onion names are supported in the desktop version of Tor Browser (introduced @@ -39,7 +39,7 @@ in some form. The underlying implementation and the address format may change in future iterations of this feature. To the extent that any changes are required, we will reach out to coordinate them with you. -Getting An Onion Name +Getting An onion name ^^^^^^^^^^^^^^^^^^^^^ Freedom of the Press Foundation maintains onion names for SecureDrop instances @@ -62,7 +62,7 @@ in our documentation. If you are already part of the SecureDrop directory and would like an Onion Name, :ref:`please contact us.` -Does This Replace the Original Address? +Does This Replace the original address? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ No, the onion name is only a human-friendly name for the full-length address. @@ -77,7 +77,7 @@ the onion name fail to load for any reason. Please note that the desktop version of Tor Browser is needed to access onion names, which is also generally our security recommendation. -Updating an Onion Name +Updating an onion name ^^^^^^^^^^^^^^^^^^^^^^ If you wish to change or retire your Onion Name, please reach out to the @@ -88,7 +88,7 @@ possible, so we can schedule the Onion Name update on the same day. In any event, we will attempt to respond to any update request within 2 business days. -Revoking Onion Names +Revoking onion names ^^^^^^^^^^^^^^^^^^^^ Onion names are tied to inclusion in the SecureDrop Directory. We may diff --git a/docs/admin/deployment/sample_privacy_policy.rst b/docs/admin/deployment/sample_privacy_policy.rst index 98d7f5a5c..555bc5a73 100644 --- a/docs/admin/deployment/sample_privacy_policy.rst +++ b/docs/admin/deployment/sample_privacy_policy.rst @@ -1,6 +1,6 @@ .. _Sample Privacy Policy: -Sample SecureDrop Privacy Policy +Sample SecureDrop privacy policy ================================ **[DATE]** @@ -12,7 +12,7 @@ help of Freedom of the Press Foundation. Please read this privacy policy carefully. It explains what information what type of information SecureDrop does and does not collect, and why. -Collection of Information From Sources +Collection of information from sources -------------------------------------- * We don’t ask or require you to provide any personally identifying information @@ -47,7 +47,7 @@ Our policy is to scrub metadata from the files we receive through SecureDrop before publication. If you don’t want to send us metadata, please use the Metadata Anonymization Toolkit to scrub the file before you submit it. -Collection of Information About Journalists’ Use of SecureDrop +Collection of information about journalists’ use of SecureDrop -------------------------------------------------------------- **[MEDIA ORG]** collects information about journalists’ use of SecureDrop for @@ -59,7 +59,7 @@ date and time of each session. We retain these access logs for **[___]** days, and then delete them. -Data Security +Data security ------------- **[MEDIA ORG]** works diligently to protect the identities of our sources and @@ -72,14 +72,14 @@ However, no one can truly guarantee 100% security of any system. Like all software, SecureDrop may contain bugs. Ultimately, you use the SecureDrop service at your own risk. -Children Under 13 +Children under 13 ----------------- The Children’s Online Privacy Protection Act restricts our ability to collect personal information from children under 13. This site is not directed to children 12 or younger. -Changes to This Policy +Changes to this policy ---------------------- We may revise this Privacy Policy from time to time. The most current version diff --git a/docs/admin/deployment/ssh_over_local_net.rst b/docs/admin/deployment/ssh_over_local_net.rst index 9da9575c6..9d818364c 100644 --- a/docs/admin/deployment/ssh_over_local_net.rst +++ b/docs/admin/deployment/ssh_over_local_net.rst @@ -1,4 +1,4 @@ -SSH Over Local Network +SSH over local network ====================== Under a production installation post-install, the default way to gain SSH @@ -27,7 +27,7 @@ network instead please continue to read. .. _ssh_over_local: -Configuring SSH for Local Access +Configuring SSH for local access -------------------------------- .. warning:: It is important that your firewall is configured adequately if you diff --git a/docs/admin/deployment/tor_pow.rst b/docs/admin/deployment/tor_pow.rst index 8e66076ce..f51dbbdbf 100644 --- a/docs/admin/deployment/tor_pow.rst +++ b/docs/admin/deployment/tor_pow.rst @@ -1,4 +1,4 @@ -Tor Proof-of-Work Defense on the *Source Interface* +Tor proof-of-work defense on the *Source Interface* =================================================== The SecureDrop *Source Interface* is served as an onion service with an diff --git a/docs/admin/deployment/whole_site_changes.rst b/docs/admin/deployment/whole_site_changes.rst index d0edee15f..b22764b07 100644 --- a/docs/admin/deployment/whole_site_changes.rst +++ b/docs/admin/deployment/whole_site_changes.rst @@ -1,4 +1,4 @@ -Whole Site Changes +Whole site changes ================== Ideally, some or all of the following changes are made to improve the diff --git a/docs/admin/deployment/yubikey_setup.rst b/docs/admin/deployment/yubikey_setup.rst index 23fe679ff..c23c1c23f 100644 --- a/docs/admin/deployment/yubikey_setup.rst +++ b/docs/admin/deployment/yubikey_setup.rst @@ -21,7 +21,7 @@ Tool; for this, you require `a key that can support OATH-HOTP`_. .. _`a key that can support OATH-HOTP`: https://support.yubico.com/hc/en-us/articles/360016614780-OATH-HOTP-Yubico-Best-Practices-Guide -Download and Launch the YubiKey Personalization Tool +Download and launch the YubiKey personalization tool ---------------------------------------------------- #. Start Tails. At the log in-screen, choose the option to allow an @@ -43,7 +43,7 @@ Download and Launch the YubiKey Personalization Tool yubikey-personalization-gui -Setting Up Hardware-Based Codes +Setting up hardware-based codes ------------------------------- After opening the personalization tool, click the heading @@ -83,7 +83,7 @@ top of the window. |YubiKey Config Successful| -Adding Users +Adding users ------------ When adding new users, a SecureDrop admin will need the @@ -93,7 +93,7 @@ selecting the **I'm Using a YubiKey** option while :ref:`adding users being added to the system. This means that the new user and the admin should be physically present for this process. -Using Your YubiKey +Using your YubiKey ------------------ When using a Yubikey to log-in to the *Journalist Interface*, insert diff --git a/docs/admin/installation/apply_sdw.rst b/docs/admin/installation/apply_sdw.rst index 7a9116135..1f815dfbb 100644 --- a/docs/admin/installation/apply_sdw.rst +++ b/docs/admin/installation/apply_sdw.rst @@ -1,11 +1,11 @@ -Apply Configuration to *Admin Workstation* +Apply configuration to *Admin Workstation* ===================================================== With the servers installed and configured, the final step is to install the SecureDrop Application on the *Admin Workstation* and fully configure the machine. .. _install_configure_securedrop_app: -Install and Configure the SecureDrop App +Install and configure the SecureDrop app ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - These steps should be performed from a ``dom0`` terminal. **Start a dom0 terminal** via |qubes_menu| **▸** |qubes_menu_gear| **▸ Other Tools ▸ Xfce Terminal**. @@ -20,8 +20,8 @@ Install and Configure the SecureDrop App This command will take a considerable amount of time and approximately 4GB of bandwidth, as it sets up multiple VMs and installs supporting packages. When the command finishes, reboot the machine to complete the installation. This SecureDrop Workstation is finally ready to use! -Test the Workstation -~~~~~~~~~~~~~~~~~~~~ +Test the *Admin Workstation* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The preflight updater will start automatically after logging into the system. Please follow the preflight updater's instructions. diff --git a/docs/admin/installation/create_admin_account.rst b/docs/admin/installation/create_admin_account.rst index 0c0238f1f..abaadb4af 100644 --- a/docs/admin/installation/create_admin_account.rst +++ b/docs/admin/installation/create_admin_account.rst @@ -1,4 +1,4 @@ -Create an Admin Account on the *Journalist Interface* +Create an admin account on the *Journalist Interface* ===================================================== In order for any user (admin or journalist) to access the diff --git a/docs/admin/installation/email_alerts.rst b/docs/admin/installation/email_alerts.rst index cd1797c8f..2f2ee0175 100644 --- a/docs/admin/installation/email_alerts.rst +++ b/docs/admin/installation/email_alerts.rst @@ -5,7 +5,7 @@ SecureDrop sends different alerts by PGP-encrypted email. Before installing Secu .. _daily_journalist_alerts: -Optional: Daily Journalist alerts +Optional: daily journalist alerts ------------------------------------------- When a SecureDrop has little activity and receives only a few submissions every other week, checking daily only to find there is nothing is a burden. It is more convenient for journalists to be notified daily via encrypted email about whether or not there has been submission activity in the past 24 hours. @@ -68,7 +68,7 @@ You must specify the email and GPG public key that you'll be using to receive al This could be your work email, or an alias for a group of IT admins at your organization. It helps for your mail client to have the ability to filter the numerous messages from OSSEC into a separate folder. -SMTP Relay +SMTP relay ~~~~~~~~~~ Receiving email alerts from OSSEC requires that you have an SMTP relay to route the emails. You can use an SMTP relay hosted internally, if one is available to you, or you can use a :ref:`third-party SMTP relay such as diff --git a/docs/admin/installation/firewall_opnsense.rst b/docs/admin/installation/firewall_opnsense.rst index 3667d007c..5176aad4a 100644 --- a/docs/admin/installation/firewall_opnsense.rst +++ b/docs/admin/installation/firewall_opnsense.rst @@ -1,9 +1,9 @@ .. _firewall_opnsense: -Setting Up An OPNSense Network Firewall +Setting up an OPNSense network firewall ======================================= -Before You Begin +Before you begin ---------------- First, consider how the firewall will be connected to the Internet. You will need to provision several unique subnets, which should not conflict @@ -51,7 +51,7 @@ values before continuing. - Monitor Gateway: ``10.20.3.1`` - Monitor Server (OPT2) : ``10.20.3.2`` -Initial Configuration +Initial configuration --------------------- Unpack the firewall, connect the power, and power on the device. @@ -59,7 +59,7 @@ Unpack the firewall, connect the power, and power on the device. We will use the OPNSense Web GUI to do the initial configuration of the network firewall. -Connect to the OPNSense Web GUI +Connect to the OPNSense web GUI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #. If you have not already done so, boot the *Admin Workstation* into @@ -127,7 +127,7 @@ displayed. You should not step through it at this point, however, as there are other tasks to complete. To exit, click the OPNSense logo in the top left corner of the screen. -Set a Strong Password +Set a strong password ~~~~~~~~~~~~~~~~~~~~~ Navigate to **System ▸ Access ▸ Users** and click the edit button for the ``root`` @@ -136,7 +136,7 @@ a strong passphrase with KeePassXC and saving it in the Tails Persistent folder the provided KeePassXC database template. Two-factor authentication will be enabled in a later step. -Set Alternate Hostnames +Set alternate hostnames ~~~~~~~~~~~~~~~~~~~~~~~ Before you can set up the hardware firewall, you will need to set the @@ -151,7 +151,7 @@ default values), separated by a space. Finally, scroll to the bottom of the page and click **Save**. -Configure Interfaces Via The Setup Wizard +Configure interfaces via the Setup Wizard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To start the OPNSense Setup Wizard, navigate to **System ▸ Wizard** and click @@ -213,7 +213,7 @@ account using an OTP token and the passphrase you just set. Once you've logged in to the Web GUI, you are ready to continue configuring the firewall. -Connect Interfaces and Test +Connect interfaces and test ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now that the initial configuration is completed, you can connect the WAN @@ -238,7 +238,7 @@ to apply several updates in a row to get to the latest version. |OPNSense - no updates| -Enable Two-Factor Authentication +Enable two-factor authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OPNSense supports two-factor authentication (2FA) via mobile apps such as Google Authenticator @@ -301,7 +301,7 @@ select ``TOTP Local`` and deselect ``Local Database.``. Click **Save**. |OPNSense - totp server| -Disable DHCP on the Firewall +Disable DHCP on the firewall ---------------------------- OPNSense runs a DHCP server on the LAN interface by default. At this @@ -312,7 +312,7 @@ In order to tighten the firewall rules as much as possible, we recommend disabling the DHCP server and assigning a static IP address to the Admin Workstation instead. -Disable DHCP Server on the LAN Interface +Disable DHCP server on the LAN interface ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To disable DHCP, navigate to **Services ▸ DHCPv4 ▸ [LAN]** in the Web GUI. @@ -321,7 +321,7 @@ and click **Save**. |OPNSense - Disable DHCP| -Assign a Static IP Address to the *Admin Workstation* +Assign a static IP address to the *Admin Workstation* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now you will need to assign a static IP to the *Admin Workstation*. @@ -366,7 +366,7 @@ change. You will need you have succeeded in connecting with your new static IP when you are able to connect using the Tor Connection assistant, and you see the message "Connected to Tor successfully". -Troubleshooting: DNS Servers and the Unsafe Browser +Troubleshooting: DNS servers and the Unsafe Browser ''''''''''''''''''''''''''''''''''''''''''''''''''' After saving the new network configuration, you may still encounter the @@ -386,7 +386,7 @@ to Tor successfully". For the next step, SecureDrop Configuration, you will manually configure the firewall for SecureDrop, using screenshots as a reference. -SecureDrop Configuration +SecureDrop configuration ------------------------ SecureDrop uses the firewall to achieve two primary goals: @@ -401,7 +401,7 @@ In order to use the firewall to isolate the *Application Server* and the *Monito Server* from each other, we need to connect them to separate interfaces, and then set up firewall rules that allow them to communicate. -Enable The OPT1 And OPT2 Interfaces +Enable the OPT1 and OPT2 interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The OPT1 and OPT2 interfaces will be used for the *Application Server* and *Monitor @@ -475,7 +475,7 @@ the recommended values). Click **Save**, then click **Apply changes** when prompted. -Configure Firewall Aliases +Configure firewall aliases ~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to simplify firewall rule setup, the next step is to configure aliases @@ -534,13 +534,13 @@ When complete, the **Aliases** page should look like this: Scroll down and click **Apply** to save and apply your new aliases. -Configure Firewall Rules +Configure firewall rules ~~~~~~~~~~~~~~~~~~~~~~~~ Next, configure firewall rules for each interface. -Configure Firewall Rules on LAN +Configure firewall rules on LAN ''''''''''''''''''''''''''''''' First, navigate to **Firewall ▸ Rules ▸ LAN**. The LAN interface should have one automatically-generated anti-lockout rule in place, in addition to two default-allow rules. @@ -590,7 +590,7 @@ Settings ▸ Advanced**. Scroll down to the **Miscellaneous** section and check |OPNSense - Disable Antilockout| -Configure Firewall Rules On OPT1 +Configure firewall rules on OPT1 '''''''''''''''''''''''''''''''' Next, navigate to **Firewall ▸ Rules ▸ OPT1**. There should be no rules defined on this interface. Add the rules below: @@ -668,7 +668,7 @@ Once they match the screenshot below, click **Apply Changes**. |OPNSense Firewall OPT1 Rules| -Configure Firewall Rules On OPT2 +Configure firewall rules on OPT2 '''''''''''''''''''''''''''''''' Next, navigate to **Firewall ▸ Rules ▸ OPT2**. Similarly to OPT1, there should be no rules defined on this interface. Add the rules below until the rules in the Web GUI match those @@ -733,7 +733,7 @@ Finally, click **Apply Changes**. The *Network Firewall* configuration is now complete, allowing you to move to the next step: :doc:`setting up the servers. ` -Troubleshooting Tips +Troubleshooting tips -------------------- Here are some general tips for setting up OPNSense firewall rules: @@ -752,7 +752,7 @@ Here are some general tips for setting up OPNSense firewall rules: .. _Keeping OPNSense up to date: -Keeping OPNSense up to Date +Keeping OPNSense up to date --------------------------- Periodically, the OPNSense project maintainers release an update to the diff --git a/docs/admin/installation/firewall_pfsense.rst b/docs/admin/installation/firewall_pfsense.rst index 5e6cf1332..6662309e0 100644 --- a/docs/admin/installation/firewall_pfsense.rst +++ b/docs/admin/installation/firewall_pfsense.rst @@ -1,9 +1,9 @@ .. _firewall_pfsense: -Setting Up a pfSense Network Firewall +Setting up a pfSense network firewall ===================================== -Before You Begin +Before you begin ---------------- First, consider how the firewall will be connected to the Internet. You @@ -21,7 +21,7 @@ you will be able to connect from the LAN to the pfSense WebGUI configuration wizard, and from there you will be able to configure the network so it is working correctly. -Configuring Your Firewall +Configuring your firewall ~~~~~~~~~~~~~~~~~~~~~~~~~ Since our recommended firewalls have at least 4 NICs, we will refer to the @@ -60,7 +60,7 @@ IP and subnet definitions: - Monitor Gateway: ``10.20.3.1`` - Monitor Server (LAN3) : ``10.20.3.2`` -Initial Configuration +Initial configuration --------------------- Unpack the firewall, connect the power, and power on the device. @@ -68,7 +68,7 @@ Unpack the firewall, connect the power, and power on the device. We will use the pfSense WebGUI to do the initial configuration of the network firewall. -Connect to the pfSense WebGUI +Connect to the pfSense web GUI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #. If you have not already done so, boot the *Admin Workstation* into @@ -133,7 +133,7 @@ Connect to the pfSense WebGUI .. _intentionally disables LAN access: https://gitlab.tails.boum.org/tails/tails/-/issues/7976 -Alternate Hostnames +Alternate hostnames ~~~~~~~~~~~~~~~~~~~ Before you can set up the hardware firewall, you will need to set the @@ -212,7 +212,7 @@ before except with the new passphrase you just set for the pfSense WebGUI. Once you've logged in to the WebGUI, you are ready to continue configuring the firewall. -Connect Interfaces and Test +Connect interfaces and test ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now that the initial configuration is completed, you can connect the WAN @@ -241,7 +241,7 @@ In order to tighten the firewall rules as much as possible, we recommend disabling the DHCP server and assigning a static IP address to the Admin Workstation instead. -Disable DHCP Server on the Firewall +Disable DHCP server on the firewall ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To disable DHCP, navigate to **Services ▸ DHCP Server** in the pfSense @@ -252,7 +252,7 @@ interface**, scroll down, and click the **Save** button. .. _assign_static_ip_to_workstation: -Assign a Static IP Address to the *Admin Workstation* +Assign a static IP address to the *Admin Workstation* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -298,7 +298,7 @@ change. You will need you have succeeded in connecting with your new static IP when you are able to connect using the Tor Connection assistant, and you see the message "Connected to Tor successfully". -Troubleshooting: DNS Servers and the Unsafe Browser +Troubleshooting: DNS servers and the Unsafe Browser ''''''''''''''''''''''''''''''''''''''''''''''''''' After saving the new network configuration, you may still encounter the @@ -318,7 +318,7 @@ to Tor successfully". For the next step, SecureDrop Configuration, you will manually configure the firewall for SecureDrop, using screenshots as a reference. -SecureDrop Configuration +SecureDrop configuration ------------------------ SecureDrop uses the firewall to achieve two primary goals: @@ -333,7 +333,7 @@ In order to use the firewall to isolate the *Application Server* and the *Monito Server* from each other, we need to connect them to separate interfaces, and then set up firewall rules that allow them to communicate. -Set Up the Firewall Rules +Set up the firewall rules ~~~~~~~~~~~~~~~~~~~~~~~~~ Since there are a variety of firewalls with different configuration interfaces @@ -344,7 +344,7 @@ The easiest way to set up your firewall rules is to look at the screenshots of a correctly configured firewall and edit the interfaces, aliases, and firewall rules on your firewall to match them. -Set Up LAN2 +Set up LAN2 ''''''''''' We set up the LAN[1] interface during the initial configuration. We now @@ -361,7 +361,7 @@ as the default. **Save** and **Apply Changes**. |LAN2| -Set Up LAN3 +Set up LAN3 ''''''''''' Next, you will have to enable the LAN3 interface. Go to @@ -377,7 +377,7 @@ as the default. **Save** and **Apply Changes**. |LAN3| -Use Screenshots of Firewall Configuration +Use screenshots of firewall configuration ''''''''''''''''''''''''''''''''''''''''' Here are some example screenshots of a working pfSense firewall @@ -447,7 +447,7 @@ message "The changes have been applied successfully". Once you've set up the firewall, exit the Unsafe Browser, and continue with the "Keeping pfSense up to date" section below. -Tips for Setting Up pfSense Firewall Rules +Tips for setting up pfSense firewall rules ------------------------------------------ Here are some general tips for setting up pfSense firewall rules: @@ -475,7 +475,7 @@ Here are some general tips for setting up pfSense firewall rules: .. _Keeping pfSense up to date: -Keeping pfSense up to Date +Keeping pfSense up to date -------------------------- Periodically, the pfSense project maintainers release an update to the diff --git a/docs/admin/installation/generate_submission_key.rst b/docs/admin/installation/generate_submission_key.rst index d4973c5e9..c72beb64e 100644 --- a/docs/admin/installation/generate_submission_key.rst +++ b/docs/admin/installation/generate_submission_key.rst @@ -18,7 +18,7 @@ stick, with persistence enabled. is intended to ensure that the private key is protected by the air-gap throughout its lifetime. -Create the Key +Create the key -------------- #. Navigate to **Apps ▸ System Tools ▸ Console** to open a terminal |Terminal|. diff --git a/docs/admin/installation/hardware.rst b/docs/admin/installation/hardware.rst index 91bf68dca..97b778294 100644 --- a/docs/admin/installation/hardware.rst +++ b/docs/admin/installation/hardware.rst @@ -9,7 +9,7 @@ successfully install and operate a SecureDrop instance, and recommends some specific components that we have found to work well. If you have any questions, please :doc:`contact the SecureDrop Support team `. -Hardware Overview +Hardware overview ----------------- .. _Required Hardware: @@ -47,6 +47,7 @@ Additionally, you may want to consider the following purchases: Advice for users on a tight budget ---------------------------------- + If you cannot afford to purchase new hardware for your SecureDrop instance, we encourage you to consider re-purposing existing hardware to use with SecureDrop. If @@ -67,7 +68,7 @@ determination is outside the scope of this document. .. _Hardware Recommendations: -Required Hardware +Required hardware ----------------- Servers @@ -324,7 +325,7 @@ laptop that we have directly tested (in that order); however, if none of those suit your needs, or if you want to see if your existing hardware might be Qubes compatible, the HCL is a good choice. -Network Firewall +Network firewall ^^^^^^^^^^^^^^^^ You will need one physical computer that is used as a dedicated firewall @@ -341,7 +342,7 @@ We recommend a 4 NIC network firewall and currently provide setup instructions f An acceptable alternative that requires more technical expertise is to :doc:`configure an existing hardware firewall `. -Two-factor Device +Two-factor device ^^^^^^^^^^^^^^^^^ Two-factor authentication is used when connecting to different parts of the SecureDrop system. Each admin and each journalist needs a two-factor @@ -355,7 +356,7 @@ device. We currently support two options for two-factor authentication: .. include:: ../../includes/otp-app.txt -USB Drives +USB drives ^^^^^^^^^^ Journalists need physical media (known as the *Export Device*) to copy submissions to their everyday workstation. @@ -393,13 +394,13 @@ buy drives accordingly. Drives that are physically larger are often easier to label (e.g. with tape, printed sticker or a label from a labelmaker). -Monitor, Keyboard, Mouse +Monitor, keyboard, mouse ^^^^^^^^^^^^^^^^^^^^^^^^ You will need these to do the initial installation of Ubuntu on the *Application* and *Monitor Servers*. -Optional Hardware +Optional hardware ----------------- This hardware is not *required* to run a SecureDrop instance, but most @@ -427,7 +428,7 @@ Driverless You may consult Apple's `list of printers that support AirPrint `_, Moipra's `list of certified products `_, or OpenPrinting's `list of printers supporting driverless printing `_. -USB Ports +USB ports ~~~~~~~~~ SecureDrop Workstation only supports printing over USB, so ensure the printer you select has a **USB port**. @@ -445,7 +446,7 @@ To maintain the isolation of SecureDrop Workstation, it is essential that your p * Use this printer exclusively with SecureDrop Workstation and do not connect it directly to other computers. -Backup Storage +Backup storage ^^^^^^^^^^^^^^ It's useful to run periodic backups of the servers in case of failure. We @@ -453,7 +454,7 @@ recommend buying an external hard drive to store server backups. .. include:: ../../includes/encrypting-drives.txt -Hardware End-of-Life +Hardware end-of-life -------------------- No matter what hardware you decide to use, it's important to be mindful of diff --git a/docs/admin/installation/install.rst b/docs/admin/installation/install.rst index e497d1317..bf1758512 100644 --- a/docs/admin/installation/install.rst +++ b/docs/admin/installation/install.rst @@ -5,7 +5,7 @@ Now that the servers are prepared, you are ready to install and configure the Se .. _test_connectivity: -Test Connectivity to Servers +Test connectivity to servers ---------------------------- Having set up the firewall, you can plug the *Application Server* and the *Monitor Server* into the firewall. Your *Admin Workstation* should also be connected to the firewall. @@ -28,7 +28,7 @@ Open a terminal in ``sd-admin`` and verify that you can SSH into both servers, a .. tip:: If you cannot connect, check the network firewall logs for clues. -Set Up SSH Keys +Set up SSH keys --------------- Ubuntu's default SSH configuration authenticates users with their @@ -81,7 +81,7 @@ or 'mon') as shown above. .. _configure_securedrop: -Prepare Configuration Files +Prepare configuration files --------------------------- Make sure you have the following information and files ready before @@ -122,7 +122,7 @@ parentheses. French to be available to read the documents and follow up in that language. -OSSEC Alerts Public Key +OSSEC alerts public key ----------------------- Before proceeding, you will need to copy the *OSSEC Alert Public Key* public key to @@ -204,7 +204,7 @@ The script will automatically validate the answers you provided and display error messages if any problems are detected. The answers will be written to the file ``~/.config/securedrop-admin/site-specific``. -Optional: Configuring fingerprint verification +Optional: configuring fingerprint verification ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you run your own mail server, you may wish to increase the security @@ -250,7 +250,7 @@ playbooks.) Save ``~/.config/securedrop-admin/site-specific`` and exit the edito .. _Install SecureDrop Servers: -Install SecureDrop Servers +Install SecureDrop servers -------------------------- Now you are ready to install! This process will configure diff --git a/docs/admin/installation/installation_overview.rst b/docs/admin/installation/installation_overview.rst index 93299a17f..d207be02f 100644 --- a/docs/admin/installation/installation_overview.rst +++ b/docs/admin/installation/installation_overview.rst @@ -1,12 +1,12 @@ -Installation Overview +Installation overview ===================== -Migrating from a Tails-Based SecureDrop +Migrating from a Tails-based SecureDrop --------------------------------------- If you are migrating from an older Tails-based SecureDrop, using the separate *Secure Viewing Station*, *Journalist Workstation* and *Admin Workstation* USB drives, then skip to the :ref:`Migration Overview`. -Setting Expectations +Setting expectations -------------------- SecureDrop is a technical tool. It is designed to protect journalists and sources, but no tool can guarantee safety. This guide will instruct you in installing and configuring SecureDrop, but it does not explain how to use it safely and effectively. Put another way: at the end of this guide, you will have built a car; you will not know how to drive. The :ref:`Deployment Guide ` contains best practices for working with SecureDrop. Make sure to read it after completing the installation. @@ -30,7 +30,7 @@ It is **critical** that you destroy this worksheet when your installation is com .. _`SecureDrop Installation Worksheet`: https://docs.google.com/a/freedom.press/document/d/18RMAzhx1XCgpmw366I8tItBXQTzkFy_i_D0c605DTS8/edit?usp=sharing -Technical Summary +Technical summary ----------------- This installation guide will walk you through the process of setting up @@ -64,7 +64,7 @@ Optionally: #. Prepare additional *Journalist Workstations* for use by journalists. #. Prepare encrypted USB *Export Drives*. -Minimum security requirements for a SecureDrop Workstation +Minimum security requirements for a *SecureDrop Workstation* ------------------------------------------------------------ .. TODO Clarify differences between Journalist and Admin Workstations diff --git a/docs/admin/installation/intro_for_admins.rst b/docs/admin/installation/intro_for_admins.rst index 9d144ea9f..0503cf275 100644 --- a/docs/admin/installation/intro_for_admins.rst +++ b/docs/admin/installation/intro_for_admins.rst @@ -1,4 +1,4 @@ -Introduction for SecureDrop Administrators +Introduction for SecureDrop administrators ========================================== SecureDrop servers are managed by a systems administrator. @@ -89,7 +89,7 @@ or via our `contact form `__. .. _manage_users: -Managing Users +Managing users -------------- Admins are responsible for managing user credentials and encouraging best practices. (See @@ -102,7 +102,7 @@ users. .. _manage_config: -Managing the System Configuration +Managing the system configuration --------------------------------- Admins are responsible for configuring and maintaining the system. Several tools @@ -118,13 +118,13 @@ are available to support this: .. _manage_updates: -Keeping the System Updated +Keeping the system updated -------------------------- The admin is responsible for ensuring that updates are applied to SecureDrop. Where possible, updates are applied automatically, but some update operations require manual intervention. -Updates: Servers +Updates: servers ^^^^^^^^^^^^^^^^ The admin should be aware of all SecureDrop updates and take any required manual action if requested in the `SecureDrop Release Blog`_ (`RSS feed`_). We also recommend registering with the `SecureDrop Support Portal`_ to stay apprised of upcoming releases. @@ -134,7 +134,7 @@ Most often, the SecureDrop servers will automatically update via ``apt``. Howeve .. _`SecureDrop Release Blog`: https://securedrop.org/news .. _`RSS Feed`: https://securedrop.org/news/feed -Updates: Network Firewall +Updates: network firewall ^^^^^^^^^^^^^^^^^^^^^^^^^ Given all traffic first hits the network firewall as it faces the non-Tor public network, the admin should ensure that critical security patches are applied to the firewall. @@ -151,14 +151,14 @@ No matter which vendor you go with, you should make it a priority to stay inform .. _`Netgate blog`: https://www.netgate.com/blog/ .. _`pfSense Upgrade Docs`: https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html -Updates: Workstations +Updates: workstations ^^^^^^^^^^^^^^^^^^^^^ SecureDrop Workstation includes an updater application that runs automatically on startup, checks for Qubes and SecureDrop updates, and prompts the user to apply them if found. Given the sensitive nature of the system, it is critical that updates are applied when available. Administrators should ensure that users are aware of this requirement, and should periodically check to ensure that the system is up to date. .. _monitoring_ossec: -Monitoring OSSEC Alerts +Monitoring OSSEC alerts ----------------------- SecureDrop uses OSSEC to monitor the servers for unusual activity caused by system configuration issues or security breaches. The admin should decrypt and read all OSSEC alerts. Report any suspicious events to FPF through the `SecureDrop Support Portal`_. See the :doc:`OSSEC Guide ` for more information on common OSSEC alerts. @@ -179,7 +179,7 @@ Release announcements and security advisories are posted to the `SecureDrop blog We strongly recommend :doc:`joining the SecureDrop support portal `. As a member of the support portal, you will receive email notifications related to all major announcements, and you can open tickets in case of technical issues. Membership is free of charge. -Installation Support +Installation support -------------------- Any organization can install SecureDrop for free and also make modifications because the project is open source. diff --git a/docs/admin/installation/network_firewall.rst b/docs/admin/installation/network_firewall.rst index 93a824575..456419884 100644 --- a/docs/admin/installation/network_firewall.rst +++ b/docs/admin/installation/network_firewall.rst @@ -1,4 +1,4 @@ -Set Up the Network Firewall +Set up the network firewall =========================== Now that you've set up your password manager, you can move on to setting up @@ -35,7 +35,6 @@ We currently recommend three firewalls in our :ref:`Hardware Guide `. -Configuration: Other Firewalls +Configuration: other firewalls ------------------------------ If you are using a firewall based on an OS not listed above, you should still set it up diff --git a/docs/admin/installation/passphrases.rst b/docs/admin/installation/passphrases.rst index af6f3e764..1655b0c73 100644 --- a/docs/admin/installation/passphrases.rst +++ b/docs/admin/installation/passphrases.rst @@ -1,4 +1,4 @@ -Passphrases Overview +Passphrases overview ==================== Each individual with a role (admin or journalist) at a given SecureDrop instance must generate and retain a number of strong, unique passphrases. The section is an overview of the passphrases, keys, two-factor secrets, and other credentials that are required for each role in a SecureDrop installation. @@ -60,7 +60,7 @@ to choosing one. .. _passphrase_best_practices: -Passphrase Best Practices +Passphrase best practices ------------------------- All SecureDrop users---Sources, Journalists, and Admins---are required to memorize at least one passphrase. This section describes best practices for passphrase management in the context of SecureDrop. @@ -90,13 +90,13 @@ All SecureDrop users---Sources, Journalists, and Admins---are required to memori so in the context of SecureDrop. -How to Generate a Strong, Unique Passphrase +How to generate a strong, unique passphrase ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We recommend using a unique, 7-word passphrase for each case described above. We encourage each end user to use KeePassXC, an easy-to-use password manager included in QubesOS, to generate and retain strong and unique passphrases. The SecureDrop installation includes a template that you can use to initialize this database, which will be explained when you set up your first :ref:`*Admin Workstation* `. -*Using KeePassXC to Generate a Passphrase* -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Using KeePassXC to generate a passphrase +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To create a random passphrase using KeePassXC, launch the application, then click the **dice icon**. Then click the **Passphrase** tab and set the diff --git a/docs/admin/installation/prepare_sdw.rst b/docs/admin/installation/prepare_sdw.rst index 0435a2a36..a4af95bd0 100644 --- a/docs/admin/installation/prepare_sdw.rst +++ b/docs/admin/installation/prepare_sdw.rst @@ -32,7 +32,7 @@ A basic knowledge of the Qubes OS is helpful. .. _securedrop_workstation_preinstall_tasks: -Pre-install Tasks +Pre-install tasks ----------------- Apply BIOS updates and check settings @@ -234,7 +234,7 @@ Installing SecureDrop Workstation .. _download_rpm: -Download SecureDrop Workstation Packages +Download SecureDrop Workstation packages ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, you must configure the Qubes-Contrib repo, then download the SecureDrop Workstation packages. @@ -257,14 +257,14 @@ First, you must configure the Qubes-Contrib repo, then download the SecureDrop W .. _securedrop_workstation_install_securedrop-admin: -Install `securedrop-admin` Tooling +Install `securedrop-admin` tooling ---------------------------------- .. TODO .. _securedrop_workstation_generate_private_key: -Generate Submission Private Key +Generate submission private key ------------------------------- .. TODO diff --git a/docs/admin/installation/prepare_servers.rst b/docs/admin/installation/prepare_servers.rst index fef711218..12172e752 100644 --- a/docs/admin/installation/prepare_servers.rst +++ b/docs/admin/installation/prepare_servers.rst @@ -1,17 +1,17 @@ -Prepare the Servers +Prepare the servers =================== -Pre-Install Steps +Pre-install steps ----------------- -Upgrade the Server BIOS +Upgrade the server BIOS ~~~~~~~~~~~~~~~~~~~~~~~ Before beginning the installation process, you should upgrade your servers' BIOS to the most recent stable version available. This process will differ for each server make/model - if you are using one of the recommended NUC models, you can find instructions in :doc:`../maintenance/bios_server`. -Update BIOS Settings +Update BIOS settings ~~~~~~~~~~~~~~~~~~~~ Once the BIOS has been updated, you should boot into it again to disable any unused hardware, including: @@ -38,7 +38,7 @@ Install Ubuntu The SecureDrop *Application Server* and *Monitor Server* run **Ubuntu 24.04.3 LTS (Noble Numbat)**. To install Ubuntu on the servers, you must first download and verify the Ubuntu installation media. -Ubuntu Introduction +Ubuntu introduction ~~~~~~~~~~~~~~~~~~~ .. note:: Installing Ubuntu is simple and may even be something you are very familiar @@ -51,7 +51,7 @@ download and verify the Ubuntu installation media. .. _download_ubuntu: -Download the Ubuntu Installation Media +Download the Ubuntu installation media ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The installation media and the files required to verify it are available on the @@ -73,7 +73,7 @@ Alternatively, you can use the command line: .. _SHA256SUMS: https://releases.ubuntu.com/24.04/SHA256SUMS .. _SHA256SUMS.gpg: https://releases.ubuntu.com/24.04/SHA256SUMS.gpg -Verify the Ubuntu Installation Media +Verify the Ubuntu installation media ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You should verify the Ubuntu image you downloaded hasn't been modified by @@ -128,7 +128,7 @@ following output in your terminal. :: installation. If this happens, please contact us at securedrop@freedom.press. -Create the Ubuntu Installation Media +Create the Ubuntu installation media ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The `Ubuntu website `__ has detailed instructions on how to to create a bootable Ubuntu Server USB drive. @@ -145,7 +145,7 @@ to this page: With the Ubuntu Server install USB ready, you may now proceed to the installation. -Perform the Installation +Perform the installation ~~~~~~~~~~~~~~~~~~~~~~~~ The steps below are the same for both the *Application Server* and the @@ -171,7 +171,7 @@ After booting the Ubuntu image, select **Install Ubuntu Server**. Follow the steps to select your language, country and keyboard settings. Once that's done, let the installation process continue. -Configure the Network +Configure the network ~~~~~~~~~~~~~~~~~~~~~ On the **Network connections** screen, the installer will ask you to configure @@ -214,7 +214,7 @@ Select **Save** and press **Enter** to apply your settings. Then select **Done** The default values on the **Configure Proxy** and **Configure Ubuntu archive mirror** screens should not need to be changed. Select **Done** for both. -Continue Without Updating the Installer +Continue without updating the installer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With the network connection now active, the installer may alert you that a @@ -226,7 +226,7 @@ version. Select the **Continue without updating** option when prompted. -Full Disk Encryption - pros and cons +Full disk encryption - pros and cons ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The use of `Full Disk Encryption (FDE) @@ -300,7 +300,7 @@ for the administration account later in the installation process. Verify that **Allow password authentication over SSH** is selected, and choose **Done** to proceed. -Finish the Installation +Finish the installation ~~~~~~~~~~~~~~~~~~~~~~~ On the **Featured server snaps** screen, ensure that no snaps are selected and choose **Done** to start the server installation process. @@ -309,7 +309,7 @@ Once the server installation is complete, choose **Reboot Now** to reboot the sy .. _nuc8_back_to_setup: -Save the Configurations +Save the configurations ~~~~~~~~~~~~~~~~~~~~~~~ When you are done, make sure you save the following information: diff --git a/docs/admin/installation/provisioning_usb.rst b/docs/admin/installation/provisioning_usb.rst index 0324c5fbf..71bfa2cb3 100644 --- a/docs/admin/installation/provisioning_usb.rst +++ b/docs/admin/installation/provisioning_usb.rst @@ -1,4 +1,4 @@ -Provisioning Export USB devices +Provisioning export USB devices =============================== The *Journalist Workstation* supports the export of submissions from the SecureDrop App diff --git a/docs/admin/installation/set_up_keepassxc.rst b/docs/admin/installation/set_up_keepassxc.rst index 50f8b6635..344e4a143 100644 --- a/docs/admin/installation/set_up_keepassxc.rst +++ b/docs/admin/installation/set_up_keepassxc.rst @@ -1,6 +1,6 @@ .. _keepassxc_setup: -Using the KeePassXC Password Manager +Using the KeePassXC password manager ==================================== Qubes OS comes with the KeePassXC password manager preinstalled. As outlined in our :ref:`passphrase best practices`, we recommend all SecureDrop users, including administrators, use the KeePassXC password manager to generate and retain strong and unique passphrases. diff --git a/docs/admin/installation/test_the_installation.rst b/docs/admin/installation/test_the_installation.rst index 248d88298..7a054a30f 100644 --- a/docs/admin/installation/test_the_installation.rst +++ b/docs/admin/installation/test_the_installation.rst @@ -1,4 +1,4 @@ -Test the Installation +Test the installation ===================== Test Connectivity @@ -6,7 +6,7 @@ Test Connectivity .. TODO add testing Qubes, testing launching the SecureDrop application, logging in, syncing, test submission, etc. -SSH to Both Servers Over Tor +SSH to both servers over Tor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Assuming you haven't disabled SSH over Tor, SSH access will be @@ -30,14 +30,14 @@ try using the verbose command format to troubleshoot: :: fields. The address is the first 56-character field, just add a ``.onion`` at the end. -Log in to Both Servers via TTY +Log in to both servers via TTY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All access to the SecureDrop servers should be performed over SSH from the *Admin Workstation*. To aid in troubleshooting, login via a physical keyboard attached to the server is also supported. -Sanity-Check the Installation +Sanity-check the installation ----------------------------- On each server: @@ -56,7 +56,7 @@ On the *Application Server*: #. Check the AppArmor status with ``sudo aa-status``. On a production instance all profiles should be in ``enforce`` mode. -Test the Web Interfaces +Test the web interfaces ----------------------- #. Make sure the *Source Interface* is available, and that you can make a diff --git a/docs/admin/maintenance/backup_and_restore.rst b/docs/admin/maintenance/backup_and_restore.rst index 2f449ad23..d32d86d14 100644 --- a/docs/admin/maintenance/backup_and_restore.rst +++ b/docs/admin/maintenance/backup_and_restore.rst @@ -1,4 +1,4 @@ -Backing Up and Restoring Servers +Backing up and restoring servers ================================ Maintaining regular backups helps guard against data @@ -11,7 +11,7 @@ or losing previous submissions from sources. Interface* URLs. The *Monitor Server* needs to be configured from scratch in the event of a hardware migration. -Minimizing Disk Use +Minimizing disk use ------------------- Since the backup and restore operations both involve transferring *all* of @@ -56,10 +56,10 @@ contact us through the `SecureDrop Support Portal`_. .. _backing_up: -Backing Up +Backing up ---------- -Check Connectivity +Check connectivity '''''''''''''''''' Open a Terminal via **Apps ▸ System Tools ▸ Console** on your *Admin Workstation* and verify it is able to run Ansible and connect to @@ -72,7 +72,7 @@ the SecureDrop servers. If this command fails, see :ref:`Troubleshooting `. -Create the Backup +Create the backup ''''''''''''''''' When you are ready to begin the backup, run @@ -96,7 +96,7 @@ archive in the output of the backup command. dedicated encrypted backup USB. .. include:: ../../includes/backup-warning.txt -Restoring from a Backup +Restoring from a backup ----------------------- Prerequisites @@ -123,7 +123,7 @@ For other data recovery scenarios, see .. _restore_data: -Restoring a Backup on an Existing Instance +Restoring a backup on an existing instance '''''''''''''''''''''''''''''''''''''''''' To restore an existing instance to a previous state, run the command: @@ -141,7 +141,7 @@ SSH (if configured). .. _migrating: -Migrating Using a Backup +Migrating using a backup ------------------------- Moving a SecureDrop instance to new hardware involves: @@ -231,8 +231,8 @@ Moving a SecureDrop instance to new hardware involves: .. _repair_admin_usbs: -Repair Additional Admin Workstations -'''''''''''''''''''''''''''''''''''' +Repair additional *Admin Workstations* +'''''''''''''''''''''''''''''''''''''' If you have additional *Admin Workstation* USBs, they will no longer have valid SSH credentials and will need to be repaired. In these steps, the "primary @@ -306,12 +306,12 @@ process. .. _additional_restore_info: -Additional Information +Additional information ---------------------- .. _restore_preserve_tor_config: -Data-Only Restores +Data-only restores '''''''''''''''''' The ``restore`` command normally restores both the data and the Tor diff --git a/docs/admin/maintenance/bios_server.rst b/docs/admin/maintenance/bios_server.rst index 314230259..4a132edfc 100644 --- a/docs/admin/maintenance/bios_server.rst +++ b/docs/admin/maintenance/bios_server.rst @@ -1,4 +1,4 @@ -BIOS Updates on the Servers +BIOS updates on the servers =========================== Below are the steps for updating the BIOS on the *Application* and *Monitor @@ -10,25 +10,25 @@ instructions will vary depending on the manufacturer and model of your device. What you need ~~~~~~~~~~~~~ - #. A clean USB device to download the BIOS file + #. A clean USB drive to download the BIOS file #. An Internet-connected workstation, such as the *Admin Workstation* #. A UPS (uninterrupted power supply), such as a surge-protecting power supply with a backup battery (This is not required, but strongly recommended) #. A keyboard and monitor -Perform Backups +Perform backups ~~~~~~~~~~~~~~~ If you are updating the BIOS on an existing SecureDrop system, we recommend you :doc:`back up the Application Server ` before proceeding. -Prepare the USB Stick +Prepare the USB drive ~~~~~~~~~~~~~~~~~~~~~~~ -Using the Disks application, delete existing partitions on the USB device, if applicable, and reformat the entire device with one FAT32 partition. Note that you will lose access to all existing data on this USB stick. +Using the Disks application, delete existing partitions on the USB drive, if applicable, and reformat the entire device with one FAT32 partition. Note that you will lose access to all existing data on this USB drive. -Download and Verify Appropriate BIOS Files +Download and verify appropriate BIOS files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -For Intel and ASUS NUC Devices +For Intel and ASUS NUC devices `````````````````````````````` Check the make and model of your servers, and follow the F7 BIOS update method in the documentation. The exact instructions vary by model: diff --git a/docs/admin/maintenance/decommission.rst b/docs/admin/maintenance/decommission.rst index b98aea59a..9c7f10056 100644 --- a/docs/admin/maintenance/decommission.rst +++ b/docs/admin/maintenance/decommission.rst @@ -1,7 +1,7 @@ Decommission SecureDrop ======================= -Protecting, Moving, or Taking Down Your SecureDrop Instance +Protecting, moving, or taking down your SecureDrop instance ----------------------------------------------------------- If the location hosting your SecureDrop servers is going to be empty for @@ -49,7 +49,7 @@ location or elsewhere, is a matter of reconnecting the servers to the firewall, attaching a WAN connection that allows unfiltered access to Tor to the firewall WAN port, and powering everything on. -Permanently Decommissioning SecureDrop +Permanently decommissioning SecureDrop -------------------------------------- The following steps will guide you through the decommissioning of your diff --git a/docs/admin/maintenance/kernel_troubleshooting.rst b/docs/admin/maintenance/kernel_troubleshooting.rst index dd10cf8cf..52cad3319 100644 --- a/docs/admin/maintenance/kernel_troubleshooting.rst +++ b/docs/admin/maintenance/kernel_troubleshooting.rst @@ -1,4 +1,4 @@ -Troubleshooting Kernel Updates +Troubleshooting kernel updates ============================== Kernel updates address known bugs and security vulnerabilities in the Linux kernel. They may be installed automatically on your *Application* and *Monitor @@ -19,7 +19,7 @@ for keyboard logins in SecureDrop 0.8.0. You may have saved the password in the KeePassXC database on your *Admin Workstation*. If you do not have the password, you can boot into single user mode instead. -Boot into Single User Mode +Boot into single user mode ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. |GRUB in default state| image:: ../../images/0.5.x_to_0.6/grub-in-default-state.png @@ -45,7 +45,7 @@ similar to the screenshot below. Press the "F10" key to boot. -Test the New Kernel +Test the new kernel ~~~~~~~~~~~~~~~~~~~ Observe the boot process. It is possible that the system will fail to @@ -66,7 +66,7 @@ If you are experiencing network issues or other kernel problems, we recommend that you roll back to an older kernel, and that you report the issue to us immediately. -Compare the Behavior of the Old Kernel +Compare the behavior of the old kernel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. |GRUB with advanced options selected| image:: ../../images/0.5.x_to_0.6/grub-with-advanced-options-selected.png @@ -96,7 +96,7 @@ Once you are logged in, check to see if you have network access. If you do, then your instance is having an issue with the newer kernel. In that case, we need to temporarily set an older kernel as the default. -Roll Back to the Old Kernel +Roll back to the old kernel ~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. important:: It is of critical importance for the security of your instance @@ -162,7 +162,7 @@ Please notify us of the compatibility issue so we can help you resolve it ASAP. .. _Report Compatibility Issues: -Report Compatibility Issues +Report compatibility issues ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you have encountered issues with a kernel update, it is important @@ -194,7 +194,7 @@ resolve compatibility issues. .. _Test and Enable an Updated Kernel: -Test and Enable an Updated Kernel +Test and enable an updated kernel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you have changed your default kernel, we urge you to test an updated kernel as soon as it becomes available in a future SecureDrop release. Note that an diff --git a/docs/admin/maintenance/logging.rst b/docs/admin/maintenance/logging.rst index 84af7c7ba..cdaac6ac7 100644 --- a/docs/admin/maintenance/logging.rst +++ b/docs/admin/maintenance/logging.rst @@ -1,4 +1,4 @@ -Investigating Logs +Investigating logs ================== When troubleshooting issues with your SecureDrop instance, be sure to examine all relevant log files on both servers. To work with logs, it is helpful to be @@ -19,7 +19,7 @@ Logs to examine on both servers including iptables configuration problems or Tor network issues. Use search patterns, e.g., search for "app Tor" to find log entries specific to Tor. -*Application Server* Logs +*Application Server* logs ------------------------- See the directory ``/var/log/apache2/*`` for web server access and error logs. @@ -64,7 +64,7 @@ If you encounter an application error, and you have not modified the application code, please be sure to `file an issue `_ or contact us via securedrop@freedom.press (`GPG encrypted `__). -*Monitor Server* Logs +*Monitor Server* logs --------------------- - ``/var/ossec/logs/ossec.log``: Examine this file to investigate problems with diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index bdb898122..56e1d6f4e 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -241,7 +241,7 @@ so far, you'll need to retrieve the following files and info: - OSSEC alert configuration details - (Optional) HTTPS configuration details -Retrieve GPG Public Keys +Retrieve GPG public keys ~~~~~~~~~~~~~~~~~~~~~~~~ Copy the *Submission Public Key* with the following commands: @@ -338,8 +338,8 @@ certificate key, and chain file. When prompted for the names of these files during the next step, you should specify them relative to the ``~/.config/securedrop-admin/`` directory, i.e. as ``ssl/mydomain.crt``. -Step 5: Configure and back up the Application Server -==================================================== +Step 5: Configure and back up the *Application Server* +====================================================== Next, configure the SecureDrop application using the files and info retrieved in the previous steps. To do so, connect to the Tor network on the diff --git a/docs/admin/maintenance/upgrade_guide.rst b/docs/admin/maintenance/upgrade_guide.rst index e41e771e5..f72f5d3b0 100644 --- a/docs/admin/maintenance/upgrade_guide.rst +++ b/docs/admin/maintenance/upgrade_guide.rst @@ -1,2 +1,2 @@ -Upgrade Guide +Upgrade guide ============= diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index ee737aa77..ae04d9b82 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -1,4 +1,4 @@ -Migrating from a Tails-Based SecureDrop +Migrating from a Tails-based SecureDrop ======================================= Pre-install tasks: @@ -61,7 +61,7 @@ Configure SecureDrop Workstation Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct *Journalist Interface* details and submission private key from your Tails-based *Secure Viewing Station* and *Journalist Workstation* USB drives. -Import Submission Private Key +Import *Submission Private Key* ----------------------------- In order to decrypt submissions, you will need a copy of the @@ -166,10 +166,10 @@ In order to copy a journalist's login credentials: - Close the application window and shut down the ``vault`` VM (using the Qube widget in the upper right panel). At this time, you can also re-enable the network connection using the network manager widget. -Manually Importing from Tails USB Drives +Manually importing from Tails USB drives ------------------------------------------------------ -Manually import Submission Private Key +Manually import *Submission Private Key* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If importing the submission key using ``sdw-admin --configure`` fails, you can also copy the submission key manually. diff --git a/docs/admin/migration/journalist_migration.rst b/docs/admin/migration/journalist_migration.rst index 418105df2..67559f4a0 100644 --- a/docs/admin/migration/journalist_migration.rst +++ b/docs/admin/migration/journalist_migration.rst @@ -1,4 +1,4 @@ -Migrating a Journalist Workstation +Migrating a *Journalist Workstation* ================================== .. TODO \ No newline at end of file diff --git a/docs/admin/migration/migration_overview.rst b/docs/admin/migration/migration_overview.rst index b50d62dd8..5415a8cae 100644 --- a/docs/admin/migration/migration_overview.rst +++ b/docs/admin/migration/migration_overview.rst @@ -1,4 +1,4 @@ -Migration Overview +Migration overview ================== .. _migration_overview: diff --git a/docs/admin/migration/removing_gpg_passphrase.rst b/docs/admin/migration/removing_gpg_passphrase.rst index ac1210e6e..bb6b6fef4 100644 --- a/docs/admin/migration/removing_gpg_passphrase.rst +++ b/docs/admin/migration/removing_gpg_passphrase.rst @@ -1,4 +1,4 @@ -Removing the Passphrase from a GPG Key +Removing the passphrase from a GPG key ====================================== GPG key files should not be passphrase-protected for use with SecureDrop Workstation. diff --git a/docs/admin/reference/admin_interface.rst b/docs/admin/reference/admin_interface.rst index b82ff2255..65c000bce 100644 --- a/docs/admin/reference/admin_interface.rst +++ b/docs/admin/reference/admin_interface.rst @@ -1,4 +1,4 @@ -The Admin Interface +The admin interface =================== The *Admin Interface* is an extended version of the *Journalist Interface*, that @@ -29,7 +29,7 @@ the :doc:`journalist guide <../../journalist/journalist>`. .. _User Management: -User Management +User management ^^^^^^^^^^^^^^^ You can use the *Admin Interface* to add and remove users, and to reset their @@ -38,7 +38,7 @@ upper right corner of the *Journalist Interface*. .. _Adding Users: -Adding Users +Adding users ------------ After logging in, you can add new user accounts for the journalists at your organization @@ -118,7 +118,7 @@ can keep their two-factor authentication device secure. .. _Passphrases_and_two-factor_resets: -Passphrases and Two-Factor Resets +Passphrases and two-factor resets --------------------------------- .. warning:: Both of these operations will lock a user out of their @@ -159,12 +159,12 @@ To reset two-factor authentication: #. Follow the on-screen instructions to complete the process and verify their new two-factor authentication credentials. -Off-boarding Users +Off-boarding users ------------------ See :doc:`our guide to off-boarding users from SecureDrop `. -Instance Configuration +Instance configuration ^^^^^^^^^^^^^^^^^^^^^^ The Instance Configuration section of the *Admin Interface* allows you to: @@ -173,7 +173,7 @@ The Instance Configuration section of the *Admin Interface* allows you to: * set submission preferences for the *Source Interface* * send test OSSEC alerts. -Updating the Organization Name +Updating the organization name ------------------------------ Your organization name is used in page titles and logo ALT text on the @@ -183,7 +183,7 @@ To change it, enter your desired name in the Organization Name field and click .. _Updating Logo Image: -Updating the Logo Image +Updating the logo image ----------------------- You can update the system logo shown on the web interfaces of your SecureDrop @@ -204,7 +204,7 @@ in order to see the new one. .. _test-OSSEC-alert: -Testing OSSEC Alerts +Testing OSSEC alerts -------------------- To verify that the OSSEC monitoring system's functionality, you can send a test @@ -220,13 +220,13 @@ for information on troubleshooting steps. .. _submission prefs: -Submission Preferences +Submission preferences ---------------------- The Submission Preferences subsection allows you to restrict the types of submissions accepted by your instance. -Disabling Document Uploads +Disabling document uploads -------------------------- By default, SecureDrop supports both text submissions and document uploads. If you @@ -238,7 +238,7 @@ only want to receive text messages, you can disable uploads as follows: This change will be applied immediately on the *Source Interface*. Documents that were previously uploaded will still be available via the *Journalist Interface*. -Preventing Short Initial Messages +Preventing short initial messages --------------------------------- By default, SecureDrop does not apply a minimum length requirement to messages. If @@ -258,7 +258,7 @@ or to subsequent messages in the conversation. To remove the requirement, uncheck the checkbox and click **Update Submission Preferences**. -Preventing Initial Messages Containing the Source's Codename +Preventing initial messages containing the source's codename ------------------------------------------------------------ Sources should never need to share their seven-word codename with journalists. If diff --git a/docs/admin/reference/offboarding.rst b/docs/admin/reference/offboarding.rst index d28acb7f4..262e442c0 100644 --- a/docs/admin/reference/offboarding.rst +++ b/docs/admin/reference/offboarding.rst @@ -1,4 +1,4 @@ -Off-board Administrators and Journalists +Off-board administrators and journalists ======================================== When journalists and SecureDrop administrators leave your organization, it is @@ -48,7 +48,7 @@ Additional steps for off-boarding administrators .. _rotate_ssh_key: -Rotate SSH keys on the SecureDrop Servers +Rotate SSH keys on the SecureDrop servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you are concerned that the user may have a copy of @@ -151,8 +151,10 @@ was in effect. - A *Transfer Device* (LUKS-encrypted USB drive) -On the Secure Viewing Station -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +On the *Secure Viewing Station* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. TODO remove this section, replace with instructions for key rotation on the SDW laptops #. From the *Secure Viewing Station* Apps Menu, choose **Accessories ▸ Kleopatra**, and select the *Submission Key* from the list of available diff --git a/docs/admin/reference/securedrop_admin.rst b/docs/admin/reference/securedrop_admin.rst index a694cd8ab..5a1b75113 100644 --- a/docs/admin/reference/securedrop_admin.rst +++ b/docs/admin/reference/securedrop_admin.rst @@ -22,7 +22,7 @@ You can list all available ``securedrop-admin`` actions using the command must take steps to manually synchronize any configuration changes made via ``securedrop-admin`` with each other. See `Managing Configuration Updates with Multiple Admins`_ -Updating the Server Configuration +Updating the server configuration --------------------------------- .. _update-system-configuration: @@ -60,7 +60,7 @@ In both cases, follow these steps: .. include:: ../../includes/rerun-install-is-safe.txt -Updating Localization for the *Source Interface* and the *Journalist Interface* +Updating localization for the *Source Interface* and the *Journalist Interface* ------------------------------------------------------------------------------- The *Source Interface* and *Journalist Interface* are translated in the following @@ -91,7 +91,7 @@ languages as needed. Locale changes will be applied after the next reboot. .. _multiple_admins: -Managing Configuration Updates with Multiple Admins +Managing configuration updates with multiple admins --------------------------------------------------- Organizations with multiple admins should set up a way to synchronize diff --git a/docs/admin/reference/ssh_access.rst b/docs/admin/reference/ssh_access.rst index a16adf8ef..31b5e982b 100644 --- a/docs/admin/reference/ssh_access.rst +++ b/docs/admin/reference/ssh_access.rst @@ -1,7 +1,7 @@ Logging in via SSH ================== -SSH Over Tor +SSH over tor ------------ By default, SSH access to SecureDrop servers is routed through the Tor network, allowing you to access the servers @@ -28,7 +28,7 @@ to the Tor network. .. _server SSH access: -Server SSH Access +Server SSH access ------------------ Generally, you should avoid directly SSHing into the servers in favor of using @@ -64,7 +64,7 @@ Shutting Down the Servers sudo shutdown now -h -Rebooting the Servers +Rebooting the servers ^^^^^^^^^^^^^^^^^^^^^ .. code:: sh @@ -73,7 +73,7 @@ Rebooting the Servers .. _investigating_logs: -Investigating Logs +Investigating logs ------------------ Consult our :doc:`Investigating Logs <../maintenance/logging>` topic guide for locations of the @@ -84,7 +84,7 @@ for how to enable error logging for the *Source Interface*. .. _immediate_update: -Immediately Apply a SecureDrop Update +Immediately apply a SecureDrop update ------------------------------------- SecureDrop will update and reboot once per day. However, once a SecureDrop @@ -113,10 +113,10 @@ into each server (via ``ssh app`` and ``ssh mon``) and run the following command .. _`is announced`: https://securedrop.org/news -Application Server ------------------- +*Application Server* +-------------------- -Adding Users (CLI) +Adding users (CLI) ^^^^^^^^^^^^^^^^^^ After the provisioning of the first admin account, we recommend @@ -127,7 +127,7 @@ However, you can also add users via ``./manage.py`` in ``/var/www/securedrop/`` as described :doc:`during first install <../installation/create_admin_account>`. You can use this command line method if the web application is unavailable. -Restart the Web Server +Restart the web server ^^^^^^^^^^^^^^^^^^^^^^ If you make changes to your Apache configuration, you may want to restart the @@ -195,8 +195,8 @@ server, their encrypted files may still exist in backups. We recommend that you delete old backup files with ``shred``, which is available on Tails. -Monitor Server --------------- +*Monitor Server* +---------------- Restart OSSEC ^^^^^^^^^^^^^ diff --git a/docs/admin/workstation_reference/backup.rst b/docs/admin/workstation_reference/backup.rst index 16ca5bd89..dea02d6e7 100644 --- a/docs/admin/workstation_reference/backup.rst +++ b/docs/admin/workstation_reference/backup.rst @@ -1,4 +1,4 @@ -Backup and Restore +Backup and restore ================== .. TODO possibly need distinct backup and restore instructions for Qubes-based Admin and Journalist Workstations? Possibly not? @@ -41,8 +41,8 @@ If you have made customizations to ``dom0`` (for example, custom RPC policy file mkdir ~/etc-qubes && cp -r /etc/qubes ~/etc-qubes mkdir ~/etc-qubes-rpc && cp -r /etc/qubes-rpc ~/etc-qubes-rpc -Back up SecureDrop Workstation -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Back up a SecureDrop Workstation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. note:: Backups contain sensitive data, and must be created and stored just as securely @@ -129,7 +129,7 @@ Example: If you wish to restore the ``vault`` VM, rename or delete the existing ``vault`` VM prior to restoring the backup. You can do so in |qubes_menu| **▸ Apps ▸ vault ▸ Settings** (the VM must not be running). -Restore Backup (SecureDrop Workstation components) +Restore backup (SecureDrop Workstation components) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Plug in your backup medium and unlock it as during the backup. By default on a new system, your peripheral devices will be managed by a VM called @@ -237,7 +237,7 @@ In a ``dom0`` terminal: qvm-run sd-gpg 'gpg --import /home/user/QubesIncoming/dom0/sd-keys.asc' -Restore Customized VMs, RPC Policies +Restore customized VMs, RPC policies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ At this stage, you should have a functional SecureDrop Workstation. You may restore any additional @@ -250,7 +250,7 @@ will need to be moved into place from the ``$RESTORE_DIR``. Once you are finished with the ``$RESTORE_DIR`` and have verified that your system works (download, decrypt, sync), you may delete the ``$RESTORE_DIR``. -(Post-Migration Instructions) Destroy backup medium +(Post-migration instructions) Destroy backup medium ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wipe (reformat) the LUKS-encrypted storage device that you used to store SecureDrop Workstation diff --git a/docs/admin/workstation_reference/bios_workstation.rst b/docs/admin/workstation_reference/bios_workstation.rst index 67469e015..f0e2c4cbe 100644 --- a/docs/admin/workstation_reference/bios_workstation.rst +++ b/docs/admin/workstation_reference/bios_workstation.rst @@ -1,10 +1,10 @@ -BIOS Update Instructions +BIOS update instructions ==================================== .. _general_BIOS_update: -Automatic BIOS Updates +Automatic BIOS updates ---------------------- These instructions should work for many recent laptops, including the two ThinkPad models specifically included in our :doc:`../installation/hardware`. @@ -28,7 +28,7 @@ Once ``fwupd`` is installed, you can install available updates by running: fwupdmgr refresh fwupdmgr update -Manual BIOS Updates +Manual BIOS updates ------------------- If your laptop is not supported by ``fwupd``, you will need to consult the manual for your specific make and model to determine how to manually apply a BIOS update. The process will likely include downloading an update file, verifying its integrity, copying it to a USB drive, and then accessing an update menu within the BIOS settings. If you have a Thinkpad, refer to the instructions for :ref:`thinkpad_bios`. diff --git a/docs/admin/workstation_reference/managing_clipboard.rst b/docs/admin/workstation_reference/managing_clipboard.rst index e1b827bab..5f5641af9 100644 --- a/docs/admin/workstation_reference/managing_clipboard.rst +++ b/docs/admin/workstation_reference/managing_clipboard.rst @@ -1,4 +1,4 @@ -Managing Clipboard Access +Managing clipboard access ========================= Every VM in Qubes has its own clipboard, similar to the clipboard of a Mac, Windows or Linux computer. For example, if you used the default ``work`` VM to browse the web and wanted to copy text from one browser window to another, you would use the ``Ctrl+C`` and ``Ctrl+V`` keyboard shortcuts to copy and paste. This type of clipboard usage -- copy and paste in the same VM -- also works in all VMs that are part of a SecureDrop Workstation. diff --git a/docs/admin/workstation_reference/troubleshooting_updates.rst b/docs/admin/workstation_reference/troubleshooting_updates.rst index 25fc29c24..db7c5acc1 100644 --- a/docs/admin/workstation_reference/troubleshooting_updates.rst +++ b/docs/admin/workstation_reference/troubleshooting_updates.rst @@ -99,7 +99,7 @@ Note that ``dom0`` and ``apply_dom0`` are separate steps. security-sensitive, and may require a reboot to take effect. -Expired SecureDrop Signing Key +Expired SecureDrop signing key ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If the update fails after running ``sudo qubes-dom0-update`` as described diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index f0a64b0bd..f36370d7c 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -1,6 +1,8 @@ Glossary ======== +.. TODO add Admin Workstation and Journalist Workstation? + A number of terms used in this guide, and in the `SecureDrop workflow diagram `, are specific to SecureDrop. The list below attempts to enumerate and define these terms. diff --git a/docs/appendices/threat_model/dataflow.rst b/docs/appendices/threat_model/dataflow.rst index b9c6f2f76..e7ff4542d 100644 --- a/docs/appendices/threat_model/dataflow.rst +++ b/docs/appendices/threat_model/dataflow.rst @@ -1,4 +1,4 @@ -Data Flow Diagram +Data flow diagram ================= The following diagram captures all data flows to and from a SecureDrop deployment. diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index 4fc86a2ed..7cbeb1491 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -1,4 +1,4 @@ -Attacks and Countermeasures on the SecureDrop Environment +Attacks and countermeasures on the SecureDrop environment ========================================================= SecureDrop is a complex ecosystem comprised of various pieces of hardware, a @@ -15,26 +15,26 @@ around press freedoms. While these attack vectors are out of the scope of this document, they should be factored in to any organization’s threat model with regional and political specificity. -Application Code — SecureDrop Repository/Release +Application code — SecureDrop repository/release ------------------------------------------------ -Attacks to the Application Code — SecureDrop Repository/Release +Attacks to the application code — SecureDrop repository/release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Malicious code introduced in SecureDrop repository - Malicious code introduced in SecureDrop release - Failure to encrypt submissions as they are written to disk -Countermeasures on the Application Code — SecureDrop Repository/Release +Countermeasures on the application code — SecureDrop repository/release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Code (git tags) and releases (packages uploaded to apt) are signed with the airgapped signing key - Protection is placed on `main` and `develop` branch on GitHub - For SecureDrop Developers, two-factor authentication is mandated on GitHub - Community trust is built through 3 trusted code owners and code reviews -Application Code — *Source Interface* and *Journalist Interface* +Application code — *Source Interface* and *Journalist Interface* ---------------------------------------------------------------- -Attacks to the Application Code — *Source Interface* and *Journalist Interface* +Attacks to the application code — *Source Interface* and *Journalist Interface* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Configuration vulnerability in *Source* or *Journalist Interface* - Lack of segmentation between *Source* and *Journalist Interface* @@ -109,7 +109,7 @@ Attacks on the *Application Server* and *Monitor Server* - Attacker exploits postfix - Known vulnerabilities in the Linux kernel or packages used by app/mon servers -Countermeasures on Both *Application* and *Monitor Servers* +Countermeasures on both *Application* and *Monitor Servers* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Grsecurity/PaX linux patches prevent the exploitation of certain memory-corruption attacks - AppArmor profiles further reduce process capabilities through Mandatory Access Control @@ -118,19 +118,19 @@ Countermeasures on Both *Application* and *Monitor Servers* - *Journalist Interface* uses ATHS cookie - *Monitor Server* should only expose SSH via Tor Onion Service. All other traffic should be blocked by firewall -Countermeasures Unique to *Application Server* +Countermeasures unique to *Application Server* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - SecureDrop *Source* and *Journalist Interfaces* uses X-Frame-Options: DENY header - Browser Same Origin Policy should prevent the SecureDrop page from trivial modifications, but more complex attacks are mitigated via the X-Frame-Options: DENY HTTP header -Countermeasures Unique to *Monitor Server* +Countermeasures unique to *Monitor Server* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - OSSEC is used for intrusion detection/file integrity monitoring, and are sent to Admins via end-to-end encrypted email -SecureDrop Dependencies — Python, Tor, Linux Kernel, apt, Qubes, Ubuntu, or Hardware Firewall Vulnerabilities +SecureDrop dependencies — Python, Tor, Linux Kernel, apt, Qubes, Ubuntu, or hardware firewall vulnerabilities ------------------------------------------------------------------------------------------------------------- -Attacks on SecureDrop Dependencies +Attacks on SecureDrop dependencies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Known vulnerabilities in Python or libraries used by SecureDrop - Known vulnerabilities in Tor (incl. Onion Service cryptography, authentication) @@ -145,27 +145,27 @@ Attacks on SecureDrop Dependencies - Tor Browser exploit - Vulnerabilities/Compromise of Hardware Firewall -Countermeasures Against Vulnerabilities in Python or Libraries +Countermeasures against vulnerabilities in Python or libraries ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - FPF performs vulnerability management for all Python packages used by SecureDrop - CI will run safety check to ensure dependencies do not have a CVE associated with the `version `__ -Countermeasures Against Vulnerabilities in Tor +Countermeasures against vulnerabilities in Tor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A cron job ensures that automatic nightly security updates are applied for OS packages, including Tor - Grsecurity/PaX linux patches prevent the exploitation of certain memory-corruption attacks - AppArmor profiles further reduce process capabilities through Mandatory Access Control - Onion service authentication is used as a complementary authentication and only used for defense-in-depth/attack surface reduction -Countermeasures Against Malicious apt Installs +Countermeasures against malicious apt installs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - apt does GPG signature verification of all packages as long as it's not explicitly disabled -Countermeasures Against Malicious Qubes or Ubuntu ISOs +Countermeasures against malicious Qubes or Ubuntu ISOs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - SecureDrop :doc:`Admin Guide ` instructs Users/Admins to validate checksum/signatures of downloaded images -Countermeasures Against Vulnerabilities in the Hardware Firewall +Countermeasures against vulnerabilities in the hardware firewall ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - SecureDrop :doc:`Admin Guide ` informs administrators to update the hardware firewall and provides a very restrictive policy for accessing the administrative interface (blocked on app and mon ports of the firewall). - Alert emails are sent out to admins when there are critical pfSense vulnerabilities. @@ -175,7 +175,7 @@ Countermeasures Against Vulnerabilities in the Hardware Firewall Network Infrastructure — FPF Infrastructure or Organization Corporate Network ----------------------------------------------------------------------------- -Attacks on Network Infrastructure +Attacks on network infrastructure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Landing Page source control is compromised - Landing Page host is compromised @@ -195,7 +195,7 @@ Attacks on Network Infrastructure - SMTP relay compromised - Admin's network is monitored -Countermeasures in FPF Infrastructure +Countermeasures in FPF infrastructure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Builds are independently validated by multiple developers - Release files containing hashes (MD5, SHA1, SHA256, SHA512) of package file and package hashes are signed with an airgapped GPG key @@ -203,7 +203,7 @@ Countermeasures in FPF Infrastructure - SecureDrop updates are packaged in a .deb file and served through FPF's apt repo - Source code is validated/verified before packaging and signing the .deb -Countermeasures in News Organization Corporate Network +Countermeasures in news organization corporate network ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - SecureDrop environment should be strictly segregated from corporate environment - Most SecureDrop application traffic goes over Tor and as such is encrypted end-to-end @@ -214,7 +214,7 @@ Countermeasures in News Organization Corporate Network User Behavior and Hardware — SecureDrop Hardware Tampering or Failure in Operational Security --------------------------------------------------------------------------------------------- -Attacks on User Behavior or Hardware +Attacks on user behavior or hardware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Journalist corporate workstation seized/tampered/compromised - Transfer device seized/stolen/lost @@ -225,7 +225,7 @@ Attacks on User Behavior or Hardware - Source shares that they are using SecureDrop/leaking documents - Journalist/Admin gets phished from a submission or otherwise breaks the SVS airgap with malware -Countermeasures in User Behavior Recommendations +Countermeasures in user behavior recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - :doc:`Source Guide ` gives instructions on best practices for the entire submission workflow - Source interface banner suggests that user disables JS (high security settings in Tor Browser) diff --git a/docs/appendices/threat_model/threat_model.rst b/docs/appendices/threat_model/threat_model.rst index 74fdd91ab..fa7525f41 100644 --- a/docs/appendices/threat_model/threat_model.rst +++ b/docs/appendices/threat_model/threat_model.rst @@ -1,4 +1,4 @@ -Threat Model +Threat model ============ This document outlines the threat model for SecureDrop 0.3 and is @@ -113,7 +113,7 @@ Assumptions The following assumptions are accepted in the threat model of every SecureDrop project: -Assumptions About the Source +Assumptions about the source ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The source acts reasonably and in good faith, e.g. if the source were to give their credentials or private key material to the attacker that would be unreasonable. @@ -124,7 +124,7 @@ Assumptions About the Source for using SecureDrop. - The source is accessing an authentic SecureDrop site. -Assumptions About the Admin and the Journalist +Assumptions about the admin and the journalist ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The admin and the journalist act reasonably and in good faith, e.g. @@ -135,7 +135,7 @@ Assumptions About the Admin and the Journalist :doc:`guidelines ` for using SecureDrop and working with submitted documents. -Assumptions About the Person Installing SecureDrop +Assumptions about the person installing SecureDrop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - This person (usually the admin) acts reasonably and in good faith, e.g. if they were @@ -147,13 +147,13 @@ Assumptions About the Person Installing SecureDrop up the :ref:`landing page ` for the organization, and for :doc:`installing SecureDrop `. -Assumptions About the Source's Computer +Assumptions about the source's computer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The computer correctly executes Tails or Tor Browser. - The computer is not compromised by malware. -Assumptions About the *Admin Workstation* and the *Journalist Workstation* +Assumptions about the *Admin Workstation* and the *Journalist Workstation* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The computer correctly executes Tails. @@ -161,14 +161,14 @@ Assumptions About the *Admin Workstation* and the *Journalist Workstation* - The two-factor authentication device used with the workstation are not compromised by malware. -Assumptions About the *Secure Viewing Station* +Assumptions about the *Secure Viewing Station* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The computer is airgapped. - The computer correctly executes Tails. - The computer and the Tails device are not compromised by malware. -Assumptions About the SecureDrop Hardware +Assumptions about the SecureDrop hardware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The servers correctly execute Ubuntu, SecureDrop and its @@ -176,7 +176,7 @@ Assumptions About the SecureDrop Hardware - The servers, network firewall, and physical media are not compromised by malware. -Assumptions About the Organization Hosting SecureDrop +Assumptions about the organization hosting SecureDrop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The organization wants to preserve the anonymity of its sources. @@ -190,7 +190,7 @@ Assumptions About the Organization Hosting SecureDrop requests to deanonymize sources, block document submissions, or hand over encrypted or decrypted submissions. -Assumptions About the World +Assumptions about the world ~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The security assumptions of RSA (4096-bit GPG and SSH keys) are @@ -204,7 +204,7 @@ Assumptions About the World Ubuntu, the Linux kernel, application packages, application dependencies are valid. -Other Assumptions or Factors +Other assumptions or factors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The level of press freedom may vary in both geography and time. @@ -232,10 +232,10 @@ Assets | system | | +------------------+----------+-------------------------------------------------+ -Implications of SecureDrop Area Compromise +Implications of SecureDrop area compromise ------------------------------------------ -What a Compromise of the *Application Server* Can Surrender +What a compromise of the *Application Server* can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The server sees the plaintext codename, used as the login identifier, @@ -269,7 +269,7 @@ What a Compromise of the *Application Server* Can Surrender - The server can connect to the *Monitor Server* using an SSH key and a passphrase. -What a Compromise of the *Monitor Server* Can Surrender +What a compromise of the *Monitor Server* can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The server stores the plaintext alerts on disk, data may also reside @@ -288,7 +288,7 @@ What a Compromise of the *Monitor Server* Can Surrender - The server can connect to the *Application Server* using an SSH key and a passphrase. -What a Compromise of the Workstations Can Surrender +What a compromise of the workstations can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The *Admin Workstation* requires Tails with a persistent volume, @@ -306,7 +306,7 @@ What a Compromise of the Workstations Can Surrender GPG key, as well as a :doc:`database with the passphrase ` for that key. -What a Compromise of the Source's Property Can Surrender +What a compromise of the source's property can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Use of `Tor Browser will leave @@ -339,7 +339,7 @@ What a Compromise of the Source's Property Can Surrender - See any replies from journalists that the source has not yet deleted. -What a Physical Seizure of the Source's Property Can Surrender +What a physical seizure of the source's property can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Document use of Tor or Tails, but not necessarily research into @@ -366,7 +366,7 @@ What a Physical Seizure of the Source's Property Can Surrender volume, password database, and two-factor authentication device will allow the attacker to access both servers and the *Journalist Interface*. -What Compromise of the Admin's Property Can Surrender +What compromise of the admin's property can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - To access the *Journalist Interface*, the *Application Server*, or the @@ -440,7 +440,7 @@ What Compromise of the Admin's Property Can Surrender which, assuming the attacker is able to escalate privileges, may affect the *Application Server*. -What a Physical Seizure of the Admin's Property Can Achieve +What a physical seizure of the admin's property can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Tamper with the hardware. @@ -453,7 +453,7 @@ What a Physical Seizure of the Admin's Property Can Achieve volume, password database, and two-factor authentication device will allow the attacker to access both servers and the *Journalist Interface*. -What a Compromise of the Journalist's Property Can Achieve +What a compromise of the journalist's property can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - To access the *Journalist Interface*, the attacker needs to obtain the @@ -487,7 +487,7 @@ What a Compromise of the Journalist's Property Can Achieve - If the journalist has admin privileges on SecureDrop, they can create new journalist accounts. -What a Physical Seizure of the Journalist's Property Can Achieve +What a physical seizure of the journalist's property can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Tamper with the hardware. @@ -501,7 +501,7 @@ What a Physical Seizure of the Journalist's Property Can Achieve persistent volume, password database, and two-factor authentication device will allow the attacker to access the *Journalist Interface*. -What a Compromise of the *Application Server* Can Achieve +What a compromise of the *Application Server* can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - If the *Application Server* is compromised, the system user the @@ -545,7 +545,7 @@ What a Compromise of the *Application Server* Can Achieve not able to decrypt submissions or communications, unless the attacker has access to the encryption key required to do so. -What a Physical Seizure of the *Application Server* Can Achieve +What a physical seizure of the *Application Server* can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - If the *Application Server* is seized, the attacker will be able to @@ -556,7 +556,7 @@ What a Physical Seizure of the *Application Server* Can Achieve information that resides in RAM. The attacker can also tamper with the hardware. -What a Compromise of the *Monitor Server* Can Achieve +What a compromise of the *Monitor Server* can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - If the *Monitor Server* is compromised, the system user the attacker @@ -585,7 +585,7 @@ What a Compromise of the *Monitor Server* Can Achieve to decrypt encrypted email alerts, unless the attacker has access to the encryption key required to do so. -What a Physical Seizure of the *Monitor Server* Can Achieve +What a physical seizure of the *Monitor Server* can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - If the *Monitor Server* is seized, the attacker will be able to view @@ -597,7 +597,7 @@ What a Physical Seizure of the *Monitor Server* Can Achieve have an effect on the quantity and accuracy of notifications sent to admins or journalists. -What a Compromise of the *Secure Viewing Station* Can Achieve +What a compromise of the *Secure Viewing Station* can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The *Secure Viewing Station* is only useful to an attacker while @@ -621,7 +621,7 @@ What a Compromise of the *Secure Viewing Station* Can Achieve - Export the *Submission Private Key* key (unless there is a passphrase set). -What a Physical Seizure of the *Secure Viewing Station* Can Achieve +What a physical seizure of the *Secure Viewing Station* can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The *Secure Viewing Station* is only useful to an attacker while @@ -642,8 +642,8 @@ What a Physical Seizure of the *Secure Viewing Station* Can Achieve decrypted form on the *Secure Viewing Station*, or if the *Export Device* is in use. -What a Local Network Attacker Can Achieve Against the Source, Admin, or Journalist: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +What a local network attacker can achieve against the source, admin, or journalist +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A local network can observe when they are using Tor. - A local network can block Tor and prevent them from accessing @@ -653,8 +653,8 @@ What a Local Network Attacker Can Achieve Against the Source, Admin, or Journali `research suggests this is very difficult `__. -What a Global Adversary Can Achieve Against the Source, Admin, or Journalist: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +What a global adversary can achieve against the source, admin, or journalist +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A global adversary capable of observing all Internet traffic may have more luck than the local network attacker in deducing use of @@ -671,7 +671,7 @@ What a Global Adversary Can Achieve Against the Source, Admin, or Journalist: to spoof an organization's HTTPS *Landing Page*, thereby tricking the source into visiting a fake SecureDrop site. -What a Random Person on the Internet Can Achieve +What a random person on the internet can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A random person can attempt to DoS the SecureDrop server and diff --git a/docs/appendices/training_schedule.rst b/docs/appendices/training_schedule.rst index 9abd8e5cb..0df2c4ab5 100644 --- a/docs/appendices/training_schedule.rst +++ b/docs/appendices/training_schedule.rst @@ -1,7 +1,7 @@ SecureDrop On-Site Training Schedule ==================================== -Who is This For? +Who is this for? ---------------- While SecureDrop is open source and available for anyone to install and set up, @@ -37,10 +37,10 @@ Installation may be started by admins ahead of schedule to save on-site time. - Follow :doc:`Installing SecureDrop ` -Day 2: Admin and Digital Security Training +Day 2: Admin and digital security training ------------------------------------------ -Admin Training +Admin training ~~~~~~~~~~~~~~ **Time**: 4+ hours @@ -75,7 +75,7 @@ Admin Training - :ref:`Deployment` guidelines -Digital Security 101 +Digital security 101 ~~~~~~~~~~~~~~~~~~~~ **Time**: 2 hours @@ -96,10 +96,10 @@ recipients and anyone else interested - Secure communication tools for colleagues and sources - Q & A -Day 3: Journalist Training and Onboarding +Day 3: Journalist training and onboarding ----------------------------------------- -Journalist Training, Part 1 +Journalist training, part 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ **Time**: 2.5 hours @@ -136,7 +136,7 @@ recipients and anyone else interested - Link to `security audits `__ - Q & A -Journalist Training, Part 2 +Journalist training, part 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ **Time**: 1+ hours, depending on the number of journalists being onboarded diff --git a/docs/includes/backup-and-update-reminders.txt b/docs/includes/backup-and-update-reminders.txt index 55a90e499..a5f4d612a 100644 --- a/docs/includes/backup-and-update-reminders.txt +++ b/docs/includes/backup-and-update-reminders.txt @@ -1,4 +1,4 @@ -Back Up the Tails Workstations +Back Up the Tails workstations ------------------------------- USB flash drives degrade over time and vary in quality. To ensure continued access to SecureDrop by administrators and journalists, we recommend backing up @@ -9,7 +9,7 @@ You can use a single storage device for backups of multiple workstations. See our :doc:`Workstation Backup Guide <../admin/maintenance/backup_workstations>` for more information. -Apply Any Available Firewall Updates +Apply any available firewall updates ------------------------------------ As part of SecureDrop maintenance, we recommend checking for software updates for the hardware firewall, which may need to be applied manually. If diff --git a/docs/index.rst b/docs/index.rst index a71b7dd3c..eff8e2f19 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -18,7 +18,7 @@ If you would like to contribute to SecureDrop, please see our http://dftlffjdogaragaxkc6jqxpo77s7rrngimyoq7uuq3clowhmttblcoyd.onion/en/stable/. -Get Started +Get started ^^^^^^^^^^^ :doc:`I want to learn more about how SecureDrop works. ` @@ -172,7 +172,7 @@ Get Started appendices/threat_model/mitigations.rst appendices/training_schedule -Get Involved +Get involved ^^^^^^^^^^^^ SecureDrop is an open source project. If you would like to contribute diff --git a/docs/introduction/getting_support.rst b/docs/introduction/getting_support.rst index b5b5acb42..b6a31644e 100644 --- a/docs/introduction/getting_support.rst +++ b/docs/introduction/getting_support.rst @@ -1,6 +1,6 @@ .. _Getting Support: -Getting Support +Getting support =============== Whether you are interested in learning more about SecureDrop, looking for @@ -54,7 +54,7 @@ Freedom of the Press Foundation has several guides to using Signal: .. _community_support: -Community Based Support +Community based support ^^^^^^^^^^^^^^^^^^^^^^^ You can connect directly with the SecureDrop development team and the larger diff --git a/docs/introduction/what_is_securedrop.rst b/docs/introduction/what_is_securedrop.rst index d00e6a964..e24417fc6 100644 --- a/docs/introduction/what_is_securedrop.rst +++ b/docs/introduction/what_is_securedrop.rst @@ -23,7 +23,7 @@ news networks, which may be compromised. Another key feature of SecureDrop is that journalists can receive submissions from unknown sources without risking the security of their own machines and networks. -How It Works +How it works ------------ Sources and journalists connect to SecureDrop using the Tor network. The SecureDrop software is running on premises on dedicated infrastructure (two physical servers and a firewall). @@ -43,7 +43,7 @@ received and reviewed: :doc:`What makes SecureDrop Unique ` to read more about SecureDrop's approach to keeping sources safe. -User Roles +User roles -------------- There are three main user roles that interact with a SecureDrop instance: @@ -72,7 +72,7 @@ newsrooms, there may be a team of systems admins. The admin connects to the *Application* and *Monitor Servers* over `authenticated onion services `__, and manages them using `Ansible `__. -Project History +Project history --------------- The web application, which was originally called DeadDrop, was developed by @@ -92,7 +92,7 @@ project's early years at FPF, development was driven by James Dolan and Today, SecureDrop is maintained by a small full-time development team at FPF and a growing volunteer community. -Technology and Contributions +Technology and contributions ---------------------------- SecureDrop and SecureDrop Workstation are open source projects of @@ -173,10 +173,10 @@ organizations, Freedom of the Press Foundation will visit your offices, help set up SecureDrop and train journalists to use it. (For pro-bono support, we request that our travel costs are covered.) -Environment Overview +Environment overview -------------------- -Server Infrastructure +Server infrastructure ~~~~~~~~~~~~~~~~~~~~~ At SecureDrop's heart is a pair of servers: the *Application (“App”) Server*, @@ -200,7 +200,7 @@ and must be physically located on-site within your organization's premises. The servers connect to the network via a dedicated hardware firewall. -Application Environment +Application environment ~~~~~~~~~~~~~~~~~~~~~~~ The SecureDrop application environment consists of at least one laptop, @@ -213,7 +213,7 @@ in addition to the servers described above: Operation --------- -Planning & Preparation +Planning & preparation ~~~~~~~~~~~~~~~~~~~~~~ Setting up SecureDrop is a multi-step process. Before getting started, you @@ -230,7 +230,7 @@ If you need help, contact the `Freedom of the Press Foundation `__ who will be glad to help walk you through the process and make sure that you're ready to proceed. -Technical Setup +Technical setup ~~~~~~~~~~~~~~~ Once you are familiar with the architecture and have all the hardware, @@ -238,7 +238,7 @@ Once you are familiar with the architecture and have all the hardware, least a day's work for your admin. We recommend that you set aside at least a week to :ref:`complete and test ` your setup. -Provisioning & Training +Provisioning & training ~~~~~~~~~~~~~~~~~~~~~~~ Once SecureDrop is installed, journalists will need to be provided with @@ -254,7 +254,7 @@ multiple offices, training will need to happen at each location. Again, the `Freedom of the Press Foundation `__ are happy to help you plan and train your team. -Going Public +Going public ~~~~~~~~~~~~ Once you have a SecureDrop instance and your team knows how to use it, you @@ -268,10 +268,10 @@ SecureDrop *Landing Page* and our guide to .. |SecureDrop architecture highlevel overview diagram| image:: /diagrams/securedrop_overview_highlevel.png :width: 100% -Sharing Access +Sharing access -------------- -With Other Journalists In Your Organization +With other journalists in your organization ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While SecureDrop supports having multiple journalist accounts for the document interface, all accounts will access the same inbox. To avoid confusion, we @@ -279,7 +279,7 @@ recommend news organizations assign 1-3 journalists to regularly check SecureDrop and make sure that they all are in contact as to who is responsible for responding to each source. -With Other Organizations +With other organizations ~~~~~~~~~~~~~~~~~~~~~~~~ Currently you cannot use SecureDrop with multiple organizations for security diff --git a/docs/introduction/what_makes_securedrop_unique.rst b/docs/introduction/what_makes_securedrop_unique.rst index e53a9eb52..85ff0c3b4 100644 --- a/docs/introduction/what_makes_securedrop_unique.rst +++ b/docs/introduction/what_makes_securedrop_unique.rst @@ -1,11 +1,11 @@ -What Makes SecureDrop Unique? +What makes SecureDrop unique? ============================= SecureDrop attempts to solve or mitigate several problems journalists and sources have faced in recent legal investigations, attacks from state actors, and other threats to the confidentiality of communications. -No Third Parties that Can Secretly be Subpoenaed +No third parties that can secretly be subpoenaed ------------------------------------------------ For decades, there were very few leak prosecutions in the United States in large @@ -31,7 +31,7 @@ and sits on their property, so any legal order for information must go directly to the news organization rather than Google or AT&T. The news organization again has the power to contest the order or refuse to comply if they so wish. -Limits the Metadata Trail as Much as Possible +Limits the metadata trail as much as possible --------------------------------------------- In many leak cases, the metadata of a journalist's communications—where you’re @@ -57,7 +57,7 @@ In addition, sources cannot create a custom username that could reveal informati about them. Instead, SecureDrop automatically generates two random codenames, one to show to the source and another to the journalists using the system. -Encrypted and Air-Gapped +Encrypted and air-gapped ------------------------ Communications through SecureDrop are both encrypted in transit, so messages cannot @@ -69,7 +69,7 @@ In addition, the decryption key for SecureDrop submissions sits in an isolated virtual machine inside a hardened operating system that opens submissions in a temporary, non-networked environment. -Protects Against Hackers +Protects against hackers ------------------------ A 2014 study showed that 21 of the top 25 news organization had, at one time or @@ -86,7 +86,7 @@ protects sources against networks that are already compromised, as well as a new organization’s normal network from attacks that could potentially come through SecureDrop. -Free and Open Source Software +Free and open source software ----------------------------- 100% of SecureDrop’s code is free and open source. Not only does this mean anyone diff --git a/docs/journalist/submissions.rst b/docs/journalist/submissions.rst index 5cb556c2d..ce92c3bf1 100644 --- a/docs/journalist/submissions.rst +++ b/docs/journalist/submissions.rst @@ -1,4 +1,4 @@ -Working with Submissions +Working with submissions ======================== When a source submits files, you will see a Download button in the conversation @@ -25,7 +25,7 @@ decompresses the downloaded file. |screenshot_file_download_successful| -Viewing Submissions on the *Journalist Workstation* +Viewing submissions on the *Journalist Workstation* --------------------------------------------------- To view a downloaded submission, click its filename. This will open @@ -37,7 +37,7 @@ window title prefixed with "disp" (meaning disposable). This disposable VM is a special isolated environment; it does not have internet access, and isolates the files that you are viewing from other sensitive files and applications on the *Journalist Workstation*. -Supported Filetypes +Supported filetypes ~~~~~~~~~~~~~~~~~~~ The following filetypes are currently supported for viewing on the *Journalist Workstation*: @@ -59,7 +59,7 @@ A full list of supported filetypes can be found `here ` must be plugged into the computer's USB port. @@ -68,7 +68,7 @@ To print a document, a :doc:`compatible printer <../admin/installation/hardware> 2. You will prompted to attach your printer. 3. A Print Document dialog will appear, from which you can configure different print options before printing the document. -Exporting Submissions from the *Journalist Workstation* +Exporting submissions from the *Journalist Workstation* ------------------------------------------------------- .. important:: @@ -83,7 +83,7 @@ If you must copy a file from your **Journalist Workstation** to another computer These instructions assume that you are following the recommended workflow. If you are unsure, ask your administrator. -Exporting to an Export USB +Exporting to an export USB ~~~~~~~~~~~~~~~~~~~~~~~~~~ Currently, a LUKS- or VeraCrypt-encrypted USB drive is required for exporting submissions. @@ -116,7 +116,7 @@ Currently, a LUKS- or VeraCrypt-encrypted USB drive is required for exporting su you can safely unplug the USB drive. Alternatively, you can leave the drive plugged in and export additional files. -Decrypting and Preparing to Publish +Decrypting and preparing to publish ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. note:: @@ -153,12 +153,12 @@ audio, and begin publishing important, high-impact work! about encouraging sources to use SecureDrop. -Safely Working With Submissions Outside the *Journalist Workstation* +Safely working with submissions outside the *Journalist Workstation* -------------------------------------------------------------------- .. _malware_risks: -Risks From Malware +Risks from malware ~~~~~~~~~~~~~~~~~~ SecureDrop does not scan for or remove malware in submissions you receive. There are important steps you can take to protect yourself: diff --git a/docs/source/after_you_submit.rst b/docs/source/after_you_submit.rst index b28b6a76b..bf6ce36c3 100644 --- a/docs/source/after_you_submit.rst +++ b/docs/source/after_you_submit.rst @@ -1,7 +1,7 @@ -After You Submit +After you submit ================ -Continuing the Conversation +Continuing the conversation --------------------------- If you have already submitted a document and would like to check for diff --git a/docs/source/before_you_submit.rst b/docs/source/before_you_submit.rst index 0ff05aabb..8c94f5af2 100644 --- a/docs/source/before_you_submit.rst +++ b/docs/source/before_you_submit.rst @@ -1,14 +1,14 @@ -Before You Submit +Before you submit ================= -What NOT to Do +What NOT to do -------------- * DO NOT access SecureDrop on your employer's network. * DO NOT access SecureDrop using your employer's hardware. * DO NOT access SecureDrop on your home internet network. -Suggested Devices for Using SecureDrop +Suggested devices for using SecureDrop -------------------------------------- When sensitive disclosures such as government improprieties are involved, @@ -31,7 +31,7 @@ to avoid leaving traces of your activity on the computer's hard disk, in your ISP's logs, or on cloud services. -Choose the Right Location +Choose the right location ------------------------- Find a busy cafe you don’t regularly go to and sit at a place with your back @@ -81,7 +81,7 @@ making these decisions. .. _`Tails operating system`: https://tails.net/ .. _`@GetTor_bot on Telegram`: https://t.me/gettor_bot -Choose Who to Submit To +Choose who to submit to ----------------------- We recommend conducting all research related to your submission in Tor Browser. If you are unsure whether you are using Tor, you can visit the address diff --git a/docs/source/how_to_submit.rst b/docs/source/how_to_submit.rst index 9c64bfd92..f573e4f97 100644 --- a/docs/source/how_to_submit.rst +++ b/docs/source/how_to_submit.rst @@ -1,4 +1,4 @@ -How To Submit +How to submit ============= .. note:: @@ -17,7 +17,7 @@ How To Submit anonymity, you should not discuss your own use of it with others via unsafe methods, including email to Freedom of the Press Foundation. -Making Your First Submission +Making your first submission ---------------------------- Open Tor Browser and navigate to the .onion address for the SecureDrop you wish diff --git a/docs/source/source.rst b/docs/source/source.rst index c0677c46d..b76b98eba 100644 --- a/docs/source/source.rst +++ b/docs/source/source.rst @@ -1,4 +1,4 @@ -SecureDrop for Sources +SecureDrop for sources ====================== .. note:: From 2a76312838797ff5e20c94aa184449d13fcfdaa3 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Thu, 11 Jun 2026 10:19:11 -0400 Subject: [PATCH 03/24] fix underlines I missed --- docs/admin/installation/firewall_pfsense.rst | 2 +- docs/admin/migration/admin_migration.rst | 4 ++-- docs/admin/migration/journalist_migration.rst | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/admin/installation/firewall_pfsense.rst b/docs/admin/installation/firewall_pfsense.rst index 6662309e0..9cf00f0b1 100644 --- a/docs/admin/installation/firewall_pfsense.rst +++ b/docs/admin/installation/firewall_pfsense.rst @@ -69,7 +69,7 @@ We will use the pfSense WebGUI to do the initial configuration of the network firewall. Connect to the pfSense web GUI -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #. If you have not already done so, boot the *Admin Workstation* into Tails using its designated USB drive. diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index ae04d9b82..6c483d07f 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -62,7 +62,7 @@ Configure SecureDrop Workstation Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct *Journalist Interface* details and submission private key from your Tails-based *Secure Viewing Station* and *Journalist Workstation* USB drives. Import *Submission Private Key* ------------------------------ +------------------------------- In order to decrypt submissions, you will need a copy of the `Submission Private Key `_ @@ -170,7 +170,7 @@ Manually importing from Tails USB drives ------------------------------------------------------ Manually import *Submission Private Key* -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If importing the submission key using ``sdw-admin --configure`` fails, you can also copy the submission key manually. diff --git a/docs/admin/migration/journalist_migration.rst b/docs/admin/migration/journalist_migration.rst index 67559f4a0..a65960f5b 100644 --- a/docs/admin/migration/journalist_migration.rst +++ b/docs/admin/migration/journalist_migration.rst @@ -1,4 +1,4 @@ Migrating a *Journalist Workstation* -================================== +==================================== .. TODO \ No newline at end of file From 4e808f442c2df82a44e9d2a7df1e69e2ab2fd61f Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Thu, 11 Jun 2026 10:57:39 -0400 Subject: [PATCH 04/24] App -> Inbox --- docs/admin/installation/apply_sdw.rst | 12 ++++++------ docs/admin/installation/installation_overview.rst | 2 +- docs/admin/installation/passphrases.rst | 2 +- docs/admin/installation/provisioning_usb.rst | 2 +- docs/admin/maintenance/rebuild_admin.rst | 2 +- .../admin/maintenance/troubleshooting_connection.rst | 2 +- .../workstation_reference/managing_clipboard.rst | 6 +++--- .../troubleshooting_updates.rst | 6 +++--- docs/appendices/glossary.rst | 2 +- docs/appendices/threat_model/mitigations.rst | 2 +- docs/introduction/securedrop_workstation.rst | 2 +- docs/journalist/ending_session.rst | 2 +- docs/journalist/starting_client.rst | 8 ++++---- 13 files changed, 25 insertions(+), 25 deletions(-) diff --git a/docs/admin/installation/apply_sdw.rst b/docs/admin/installation/apply_sdw.rst index 1f815dfbb..3ac6f95c4 100644 --- a/docs/admin/installation/apply_sdw.rst +++ b/docs/admin/installation/apply_sdw.rst @@ -1,12 +1,12 @@ Apply configuration to *Admin Workstation* ===================================================== -With the servers installed and configured, the final step is to install the SecureDrop Application on the *Admin Workstation* and fully configure the machine. +With the servers installed and configured, the final step is to install the SecureDrop Inbox on the *Admin Workstation* and fully configure the machine. .. _install_configure_securedrop_app: -Install and configure the SecureDrop app -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Install and configure SecureDrop Inbox +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - These steps should be performed from a ``dom0`` terminal. **Start a dom0 terminal** via |qubes_menu| **▸** |qubes_menu_gear| **▸ Other Tools ▸ Xfce Terminal**. @@ -27,7 +27,7 @@ The preflight updater will start automatically after logging into the system. Pl .. note:: - If you close the SecureDrop Client during your session, you can launch it again using the SecureDrop icon on the desktop. + If you close SecureDrop Inbox during your session, you can launch it again using the SecureDrop icon on the desktop. Once the update check is complete, the SecureDrop Client will launch. Log in using an existing journalist account and verify that sources are listed and submissions can be downloaded, decrypted, and viewed. @@ -35,9 +35,9 @@ Once the update check is complete, the SecureDrop Client will launch. Log in usi Enable password copy and paste ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -If you use KeePassXC in the ``vault`` VM to manage login credentials, you can enable the user to copy passwords to the SecureDrop Application using inter-VM copy and paste. While this is relatively safe, we recommend reviewing the section :doc:`Managing Clipboard Access ` of this guide, which goes into further detail on the security considerations for inter-VM copy and paste. +If you use KeePassXC in the ``vault`` VM to manage login credentials, you can enable the user to copy passwords to SecureDrop Inbox using inter-VM copy and paste. While this is relatively safe, we recommend reviewing the section :doc:`Managing Clipboard Access ` of this guide, which goes into further detail on the security considerations for inter-VM copy and paste. -The password manager runs in the networkless ``vault`` VM, and the SecureDrop Application runs in the ``sd-app`` VM. To permit this one-directional clipboard use, issue the following command in ``dom0``: +The password manager runs in the networkless ``vault`` VM, and the SecureDrop Inbox application runs in the ``sd-app`` VM. To permit this one-directional clipboard use, issue the following command in ``dom0``: .. code-block:: sh diff --git a/docs/admin/installation/installation_overview.rst b/docs/admin/installation/installation_overview.rst index d207be02f..f3a951f8d 100644 --- a/docs/admin/installation/installation_overview.rst +++ b/docs/admin/installation/installation_overview.rst @@ -41,7 +41,7 @@ During this process, you'll set up at least four devices: - *Admin Workstation*: A laptop running the QubesOS operating system configured as an *Admin Workstation*, that you use to install and administer SecureDrop on the servers via SSH. If necessary (i.e. in a small newsroom), the same *SecureDrop Workstation* used for administration may be used as a *Journalist Workstation* by journalists to decrypt, view, and export submitted documents. For a larger newsroom, you may set up additional *Journalist Workstations* as needed for journalist use. - *Application Server*: - An Ubuntu server running two segmented Tor hidden services. The source connects to the *Source Interface*, a public-facing Tor Onion Service, to send messages and documents to the journalist. The journalist connects to the *Journalist Interface*, an `authenticated Tor Onion Service `__, using the SeucreDrop Application on a *Journalist Workstation* to download encrypted documents and respond to sources. + An Ubuntu server running two segmented Tor hidden services. The source connects to the *Source Interface*, a public-facing Tor Onion Service, to send messages and documents to the journalist. The journalist connects to the *Journalist Interface*, an `authenticated Tor Onion Service `__, using SecureDrop Inbox on a *Journalist Workstation* to download encrypted documents and respond to sources. - *Monitor Server*: An Ubuntu server that monitors the *Application Server* with `OSSEC `__ and sends email alerts. - Network Firewall diff --git a/docs/admin/installation/passphrases.rst b/docs/admin/installation/passphrases.rst index 1655b0c73..06ccaa40f 100644 --- a/docs/admin/installation/passphrases.rst +++ b/docs/admin/installation/passphrases.rst @@ -38,7 +38,7 @@ And the admin will also have the following two credentials: Journalist ---------- -The journalist will be using a *Journalist Workstation* to view submissions with the SecureDrop Application. The tasks performed by the journalist will require the following set of passphrases: +The journalist will be using a *Journalist Workstation* to view submissions with SecureDrop Inbox. The tasks performed by the journalist will require the following set of passphrases: - The Qubes full disk encryption (FDE) password of the Journalist Workstation they use, required to unlock system storage on boot. - The Qubes system user password for the Journalist Workstation they use, required to log in. diff --git a/docs/admin/installation/provisioning_usb.rst b/docs/admin/installation/provisioning_usb.rst index 71bfa2cb3..5276c2773 100644 --- a/docs/admin/installation/provisioning_usb.rst +++ b/docs/admin/installation/provisioning_usb.rst @@ -1,7 +1,7 @@ Provisioning export USB devices =============================== -The *Journalist Workstation* supports the export of submissions from the SecureDrop App +The *Journalist Workstation* supports the export of submissions from the SecureDrop Inbox to a LUKS- or VeraCrypt-encrypted USB *Export Device*. Creating a LUKS-encrypted drive diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index 56e1d6f4e..19a805e17 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -21,7 +21,7 @@ may be simpler. An outline of the steps involved in rebuilding an the shell admin account password. #. Set up SSH access for the new *Admin Workstation*. #. Retrieve SecureDrop configuration settings from the *Application* and *Monitor Server*. - #. Back up and configure the SecureDrop application. + #. Back up and configure the *Application Server*. #. Run ``securedrop-admin install`` and ``securedrop-admin localconfig`` from the new *Admin Workstation*. #. Configure SSH-over-TOR. diff --git a/docs/admin/maintenance/troubleshooting_connection.rst b/docs/admin/maintenance/troubleshooting_connection.rst index bced8f01c..4a2c8e831 100644 --- a/docs/admin/maintenance/troubleshooting_connection.rst +++ b/docs/admin/maintenance/troubleshooting_connection.rst @@ -151,7 +151,7 @@ Step 5: Restart ``sd-proxy`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Restart ``sd-proxy`` to attempt to restore connectivity: -1. Exit the SecureDrop Application if it is running. +1. Exit SecureDrop Inbox if it is running. 2. Click the Qubes Application menu |qubes_menu| icon in the system tray (top left). 3. Click **Run Qube Manager** 4. Right-click ``sd-proxy`` in the list of VMs. Click **Shutdown qube**. diff --git a/docs/admin/workstation_reference/managing_clipboard.rst b/docs/admin/workstation_reference/managing_clipboard.rst index 5f5641af9..1244001c9 100644 --- a/docs/admin/workstation_reference/managing_clipboard.rst +++ b/docs/admin/workstation_reference/managing_clipboard.rst @@ -13,7 +13,7 @@ As an administrator, you should be aware of the following risks related to clipb With these considerations in mind, there are use cases where clipboard access may be an important part of your regular use of SecureDrop Workstation. For example: -- You may want to copy passwords from a password manager to the SecureDrop App; +- You may want to copy passwords from a password manager to log into SecureDrop Inbox; - You may want to copy a message you received via SecureDrop into a secure messaging app like Signal, to share it with another journalist. To support these use cases, Qubes OS allows you to grant granular access to the ``sd-app`` clipboard (via the cross-VM clipboard) to selected VMs. @@ -21,7 +21,7 @@ To support these use cases, Qubes OS allows you to grant granular access to the Configuring clipboard access to ``sd-app`` ------------------------------------------ -The process for permitting the one-directional copying of passwords from a password manager in ``vault`` to the SecureDrop Application is :ref:`outlined in the installation docs `. In general, clipboard access to SecureDrop Workstation VMs is governed by *tags* that can be applied in ``dom0`` to selected VMs: +The process for permitting the one-directional copying of passwords from a password manager in ``vault`` to SecureDrop Inbox is :ref:`outlined in the installation docs `. In general, clipboard access to SecureDrop Workstation VMs is governed by *tags* that can be applied in ``dom0`` to selected VMs: - the tag ``sd-send-app-clipboard`` can be used to tag a VM that should be able to send its clipboard contents *to* ``sd-app`` via the cross-VM clipboard; - the tag ``sd-receive-app-clipboard`` can be used to tag a VM that should be able to receive its clipboard contents *from* ``sd-app`` via the cross-VM clipboard. @@ -54,7 +54,7 @@ The syntax for revoking a tag is as follows: As before, confirm the operation via the ``ls`` subcommand. -As an example, if you had a custom VM called ``work-signal`` that runs the Signal messenger, and you wanted to copy and paste messages from the SecureDrop Application *into* Signal (and potentially other applications in that VM) but not *out* of Signal into the SecureDrop App, you would issue the following commands: +As an example, if you had a custom VM called ``work-signal`` that runs the Signal messenger, and you wanted to copy and paste messages from SecureDrop Inbox *into* Signal (and potentially other applications in that VM) but not *out* of Signal into SecureDrop Inbox, you would issue the following commands: .. code-block:: sh diff --git a/docs/admin/workstation_reference/troubleshooting_updates.rst b/docs/admin/workstation_reference/troubleshooting_updates.rst index db7c5acc1..9332d61f5 100644 --- a/docs/admin/workstation_reference/troubleshooting_updates.rst +++ b/docs/admin/workstation_reference/troubleshooting_updates.rst @@ -5,7 +5,7 @@ After you log into Qubes, the preflight updater will prompt you to check for ava system updates at least once per day. If updates fail for any reason, the preflight updater will -not launch the SecureDrop Application until the +not launch SecureDrop Inbox until the underlying issue has been resolved. This is to ensure that the system is in a secure state before you interact with SecureDrop. @@ -15,7 +15,7 @@ interact with SecureDrop. displaying a failed update error message. The title reads "Security updates failed", and the message instructs the user to contact the administrator - to correct the error. The SecureDrop Application cannot + to correct the error. SecureDrop Inbox cannot be started until the error is corrected. The error displayed when the preflight updater @@ -324,7 +324,7 @@ If this does not resolve the issue: Step 4: Restart the updater ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Click the SecureDrop desktop icon to restart the updater. +Click the SecureDrop Inbox desktop icon to restart the updater. If all issues have been resolved, the updater should run to completion and display a success message. If the issue persists, please contact us for assistance. diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index f36370d7c..33668a982 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -10,7 +10,7 @@ The list below attempts to enumerate and define these terms. Application Server ------------------ -The *Application Server* runs the SecureDrop application. This server hosts both +The *Application Server* runs the SecureDrop server application. This server hosts both the website that sources access (the *Source Interface*) and the website that journalists access (the *Journalist Interface*). Both are published through an *onion service* because sources, journalists, and admins diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index 7cbeb1491..a24cf41fc 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -206,7 +206,7 @@ Countermeasures in FPF infrastructure Countermeasures in news organization corporate network ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - SecureDrop environment should be strictly segregated from corporate environment -- Most SecureDrop application traffic goes over Tor and as such is encrypted end-to-end +- Most SecureDrop traffic goes over Tor and as such is encrypted end-to-end - Alert emails to Journalists and Admins are GPG-encrypted (but not signed) to provide confidentiality - OSSEC alerts are scrubbed for sensitive contents (application data, server IPs) - Documented deployment best practices provide instructions to strengthen Landing Page security and privacy diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index ecf5b5b50..554e63a9e 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -181,7 +181,7 @@ in a timely manner, which can significantly worsen its security posture. In SecureDrop Workstation, any document received via SecureDrop is opened in a disposable VM that has no Internet access and no access to other files submitted via SecureDrop. The encryption keys are stored in a separate, networkless VM -from the SecureDrop Application. +from the SecureDrop Inbox application. Because SecureDrop Workstation has Internet access, updates can be applied automatically as soon as they are available. SecureDrop Workstation enforces this diff --git a/docs/journalist/ending_session.rst b/docs/journalist/ending_session.rst index 4b2732de9..73c77663e 100644 --- a/docs/journalist/ending_session.rst +++ b/docs/journalist/ending_session.rst @@ -1,7 +1,7 @@ Ending your session =================== -When you are finished using your *Journalist Workstation*, close the SecureDrop Application window and shut the computer down completely. This is to take advantage of the protections of full-disk encryption, and to avoid unauthorized access to the Workstation and the files and materials on it, which include any messages and submissions that you have downloaded. +When you are finished using your *Journalist Workstation*, close the SecureDrop Inbox window and shut the computer down completely. This is to take advantage of the protections of full-disk encryption, and to avoid unauthorized access to the Workstation and the files and materials on it, which include any messages and submissions that you have downloaded. To shut down the computer, click your username in the top righthand corner of your screen, and select **Shut Down** from the menu. diff --git a/docs/journalist/starting_client.rst b/docs/journalist/starting_client.rst index 2a3aee94e..a5d2acf69 100644 --- a/docs/journalist/starting_client.rst +++ b/docs/journalist/starting_client.rst @@ -1,7 +1,7 @@ -Starting the SecureDrop App +Starting SecureDrop Inbox ============================== -After you log into Qubes, the SecureDrop Application will start automatically. If +After you log into Qubes, SecureDrop Inbox will start automatically. If you have previously exited the application, you can double-click on the **SecureDrop** desktop shortcut to launch it. @@ -15,7 +15,7 @@ you to automatically download and apply any available security updates: |screenshot_update_prompt| -For security reasons, you will not be able to launch the SecureDrop Application until +For security reasons, you will not be able to launch SecureDrop Inbox until updates have been applied. This typically takes between 10 and 30 minutes. Click "Start updates" if you are ready to start the process. (If you prefer to @@ -29,7 +29,7 @@ You will see a progress indicator until updates are completed: At the end of this process, you may be prompted you to reboot if core system components were updated. Once all steps in the update process have -been completed, the SecureDrop Application will launch automatically. +been completed, SecureDrop Inbox will launch automatically. Signing in ---------- From ba8d75a3a35f76401eeff07f1988f353e31bf7ac Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Thu, 11 Jun 2026 11:02:23 -0400 Subject: [PATCH 05/24] Change U+2019 to ' --- .../getting_the_most_out_of_securedrop.rst | 14 ++++++------- docs/admin/deployment/landing_page.rst | 16 +++++++-------- .../deployment/sample_privacy_policy.rst | 16 +++++++-------- .../maintenance/kernel_troubleshooting.rst | 2 +- docs/admin/reference/admin_interface.rst | 2 +- docs/appendices/threat_model/mitigations.rst | 4 ++-- docs/introduction/securedrop_workstation.rst | 2 +- .../what_makes_securedrop_unique.rst | 20 +++++++++---------- docs/source/before_you_submit.rst | 4 ++-- docs/source/source.rst | 2 +- 10 files changed, 41 insertions(+), 41 deletions(-) diff --git a/docs/admin/deployment/getting_the_most_out_of_securedrop.rst b/docs/admin/deployment/getting_the_most_out_of_securedrop.rst index 581f10a1f..07ca577a5 100644 --- a/docs/admin/deployment/getting_the_most_out_of_securedrop.rst +++ b/docs/admin/deployment/getting_the_most_out_of_securedrop.rst @@ -1,9 +1,9 @@ Promoting your SecureDrop instance ================================== -At Freedom of the Press Foundation, we’ve found news organizations that get the +At Freedom of the Press Foundation, we've found news organizations that get the most out of SecureDrop are those who promote it regularly and effectively. -SecureDrop will only be used by sources if they know it exists, so it’s best +SecureDrop will only be used by sources if they know it exists, so it's best to promote its use in a variety of ways so that a wide swath of people will see it. @@ -13,13 +13,13 @@ success with SecureDrop. Make a high profile announcement -------------------------------- -Anytime you launch a SecureDrop, you’ll want to write an accompanying news story +Anytime you launch a SecureDrop, you'll want to write an accompanying news story along with it to alert your readers and potential sources where to submit information. Almost every news organization already does this, but some good recent examples come from `USA Today`_, `The Guardian`_, and `Wired`_. You can also write a companion Q & A like the `Washington Post`_ did. -However, a launch announcement is really just a small piece of the puzzle. It’s +However, a launch announcement is really just a small piece of the puzzle. It's important to regularly remind readers and potential sources that your SecureDrop exists, because only a tiny fraction will likely see the launch announcement and it will quickly be buried in other news after a couple of days. @@ -45,7 +45,7 @@ The Washington Post has a link on their front page for “how to share a tip sec |How to Share a Tip Securely| -Other news organizations put a little link in their footer, however, we’ve found +Other news organizations put a little link in their footer, however, we've found that this is not as effective as putting it in a more prominent on your front page. Provide links at the bottom of your articles @@ -72,9 +72,9 @@ Regularly share your SecureDrop *Landing Page* on social media -------------------------------------------------------------- The majority of adults in the United States now get their news from Facebook or -other social media sites like Twitter, so it’s important to regularly remind +other social media sites like Twitter, so it's important to regularly remind people via social media posts that SecureDrop is the safest way they can contact -your journalists if they have a sensitive tip to share. If there’s specific +your journalists if they have a sensitive tip to share. If there's specific stories you are looking for tips on that may already be in the news, this is a great way of getting added attention to your SecureDrop. diff --git a/docs/admin/deployment/landing_page.rst b/docs/admin/deployment/landing_page.rst index d087bebb1..638a7d71f 100644 --- a/docs/admin/deployment/landing_page.rst +++ b/docs/admin/deployment/landing_page.rst @@ -23,7 +23,7 @@ your organization. ---------------------------------- The content below presents sample text for the SecureDrop component of a news -organization’s tips page. It does not account for any specific legal +organization's tips page. It does not account for any specific legal or organizational needs, but should provide guidance for any outlet getting started on crafting *Landing Page* language. Any tweaks to the sample content should be left to the legal and editorial discretion of the individual outlet, @@ -44,9 +44,9 @@ To protect your anonymity when using SecureDrop, it is essential that you do not use a network or device that can easily be traced back to your real identity. Instead, use public wifi networks and devices you control. -- Do NOT access SecureDrop on your employer’s network. +- Do NOT access SecureDrop on your employer's network. -- Do NOT access SecureDrop using your employer’s hardware. +- Do NOT access SecureDrop using your employer's hardware. - Do NOT access SecureDrop on your home network. @@ -57,14 +57,14 @@ identity. Instead, use public wifi networks and devices you control. Once you are connected to a public network at a cafe or library, download and install the desktop version of `Tor Browser `_. -Launch Tor Browser. Visit our organization’s unique SecureDrop URL at +Launch Tor Browser. Visit our organization's unique SecureDrop URL at **http://our-unique-URL.onion/**. Follow the instructions you find on our source page to send us materials and messages. When you make your first submission, you will receive a unique codename. Memorize it. If you write it down, be sure to destroy the copy as soon as -you’ve committed it to memory. Use your codename to sign back in to +you've committed it to memory. Use your codename to sign back in to our source page, check for responses from our journalists, and upload additional materials. @@ -74,18 +74,18 @@ No tool can absolutely guarantee your security or anonymity. The best way to protect your privacy and anonymity as a source is to adhere to best practices. -You can use a separate computer you’ve designated specifically to handle +You can use a separate computer you've designated specifically to handle the submission process. Or, you can use an alternate operating system like Tails, which boots from a USB stick and erases your activity at the end of every session. A file contains valuable `metadata `_ about its source — when it was created -and downloaded, what machine was involved, the machine’s owner, etc. +and downloaded, what machine was involved, the machine's owner, etc. You can scrub metadata from some files prior to submission using the Metadata Anonymization Toolkit featured in Tails. Your online behavior can be extremely revealing. -Regularly monitoring our publication’s social media or website can potentially +Regularly monitoring our publication's social media or website can potentially flag you as a source. Take great care to think about what your online behavior might reveal, and consider using Tor Browser to mitigate such monitoring. diff --git a/docs/admin/deployment/sample_privacy_policy.rst b/docs/admin/deployment/sample_privacy_policy.rst index 555bc5a73..84432291f 100644 --- a/docs/admin/deployment/sample_privacy_policy.rst +++ b/docs/admin/deployment/sample_privacy_policy.rst @@ -15,7 +15,7 @@ type of information SecureDrop does and does not collect, and why. Collection of information from sources -------------------------------------- -* We don’t ask or require you to provide any personally identifying information +* We don't ask or require you to provide any personally identifying information when you submit materials through SecureDrop. * The system does not record your IP address, information about your browser, @@ -31,7 +31,7 @@ Collection of information from sources * Please keep in mind that the actual messages you send and receive through SecureDrop may include personally identifying information. For this reason, - once you read a journalist’s message, we recommend you delete it. + once you read a journalist's message, we recommend you delete it. Also please note that when you submit certain types of files through SecureDrop, you may be sending us metadata associated with that file. @@ -40,17 +40,17 @@ For example, if you submit a photo through SecureDrop in JPEG format, the file may include information about the date, time, and the GPS location of where it was taken, and the type of device used to take the photo. Similarly, if you submit a Word file (.doc or .docx) through SecureDrop, it may include the -identity of the document’s author, the author’s operating system, GPS data about -the author’s location, and the date and time when the document was created. +identity of the document's author, the author's operating system, GPS data about +the author's location, and the date and time when the document was created. Our policy is to scrub metadata from the files we receive through SecureDrop -before publication. If you don’t want to send us metadata, please use the +before publication. If you don't want to send us metadata, please use the Metadata Anonymization Toolkit to scrub the file before you submit it. -Collection of information about journalists’ use of SecureDrop +Collection of information about journalists' use of SecureDrop -------------------------------------------------------------- -**[MEDIA ORG]** collects information about journalists’ use of SecureDrop for +**[MEDIA ORG]** collects information about journalists' use of SecureDrop for security monitoring and to make sure the system works properly. This information we collect about journalists includes details about the device, @@ -75,7 +75,7 @@ service at your own risk. Children under 13 ----------------- -The Children’s Online Privacy Protection Act restricts our ability to collect +The Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13. This site is not directed to children 12 or younger. diff --git a/docs/admin/maintenance/kernel_troubleshooting.rst b/docs/admin/maintenance/kernel_troubleshooting.rst index 52cad3319..e0971c2a5 100644 --- a/docs/admin/maintenance/kernel_troubleshooting.rst +++ b/docs/admin/maintenance/kernel_troubleshooting.rst @@ -53,7 +53,7 @@ boot completely; if so, the log information will help us to understand what is happening. Provided that you can log in, check if you have network access. Try a -command such as ``sudo host freedom.press``. If you don’t have network +command such as ``sudo host freedom.press``. If you don't have network access, it is most likely due to the upgraded kernel missing a network driver for your hardware. diff --git a/docs/admin/reference/admin_interface.rst b/docs/admin/reference/admin_interface.rst index 65c000bce..6a2ca0ea3 100644 --- a/docs/admin/reference/admin_interface.rst +++ b/docs/admin/reference/admin_interface.rst @@ -60,7 +60,7 @@ account setup. |Add a new user| #. Hand the keyboard over to the journalist so they can create their own username. -#. Once they’re done entering a username for themselves, have them save their pre-generated Diceware passphrase to their password manager. +#. Once they're done entering a username for themselves, have them save their pre-generated Diceware passphrase to their password manager. #. If the new account should also have admin privileges, allowing them to add or delete other journalist accounts, select **Is Admin**. #. Finally, set up two-factor authentication for the account, following one of the two procedures below for your chosen method. diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index a24cf41fc..e73ac63eb 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -4,7 +4,7 @@ Attacks and countermeasures on the SecureDrop environment SecureDrop is a complex ecosystem comprised of various pieces of hardware, a diverse codebase, multiple user roles, and varied software dependencies. As such, an adversary can compromise any one of these components through a variety -of attacks, as detailed below. We’ve categorized attacks and countermeasures by +of attacks, as detailed below. We've categorized attacks and countermeasures by SecureDrop architecture area for clarity. There are certain attacks that cannot be mitigated by any of the technical or @@ -12,7 +12,7 @@ operational countermeasures built into SecureDrop. Attacks of a political nature — for example, if a source, journalist, or organization is threatened with legal action — are context-dependent, and determined by an ever-shifting climate around press freedoms. While these attack vectors are out of the scope of this -document, they should be factored in to any organization’s threat model with +document, they should be factored in to any organization's threat model with regional and political specificity. Application code — SecureDrop repository/release diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index 554e63a9e..fb9b9dcab 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -92,7 +92,7 @@ to discuss with us, please contact us via Signal, or send us a .. _`PGP-encrypted email`: https://securedrop.org/sites/default/files/fpf-email.asc -Why can’t I save or print from the Viewer VM apps? +Why can't I save or print from the Viewer VM apps? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When you view a file on SecureDrop Workstation, it is opened in a disposable VM that cannot access the network or any peripherals. The VM and all its data diff --git a/docs/introduction/what_makes_securedrop_unique.rst b/docs/introduction/what_makes_securedrop_unique.rst index 85ff0c3b4..ec5fd4332 100644 --- a/docs/introduction/what_makes_securedrop_unique.rst +++ b/docs/introduction/what_makes_securedrop_unique.rst @@ -15,13 +15,13 @@ when reporters regularly refused to testify and threatened to go to jail rather than betray a source. More recently, there have been a record number of leak prosecutions largely because -the government has learned they don’t need reporters to testify against their +the government has learned they don't need reporters to testify against their sources anymore. Instead, they can just secretly subpoena third-party services like Google or AT&T or Verizon or Facebook and get a treasure trove of digital -information on reporters and sources’ communications. For example, the Associated +information on reporters and sources' communications. For example, the Associated Press had twenty of their phone lines subpoenaed without their knowledge in order to identify a source. The government also got a warrant for Fox News reporter James -Rosen’s Gmail account without him knowing. In both cases, their alleged sources +Rosen's Gmail account without him knowing. In both cases, their alleged sources were prosecuted, even though journalists never directly divulged their sources. SecureDrop completely eliminates third parties from the equation and puts the @@ -34,8 +34,8 @@ has the power to contest the order or refuse to comply if they so wish. Limits the metadata trail as much as possible --------------------------------------------- -In many leak cases, the metadata of a journalist's communications—where you’re -located, who you’re talking to, when you’re talking to them, and how often—can +In many leak cases, the metadata of a journalist's communications—where you're +located, who you're talking to, when you're talking to them, and how often—can lead to trouble just as much as the actual content of your conversations. Even if a government serves a court order directly to a news organization to @@ -43,14 +43,14 @@ compel the disclosure of information, SecureDrop logs much less information than email providers or phone companies do. The source can only log into SecureDrop through Tor Browser, which masks the -source’s IP address to begin with, so there is no indication who the source is +source's IP address to begin with, so there is no indication who the source is (unless they disclose it) and where they are sending information from. The Tor IP address, the computer, and the browser type that the source is using is not logged either. For each source, only the time and date of each submission is logged on the server. When a source sends a new message, the time and date of the last message -is overwritten. This means that there won’t be a trail of metadata showing +is overwritten. This means that there won't be a trail of metadata showing exactly when the source and journalist were talking. In addition, sources cannot create a custom username that could reveal information @@ -77,19 +77,19 @@ another, `been targeted Date: Sat, 13 Jun 2026 11:53:36 -0400 Subject: [PATCH 06/24] Further cleaning/clarifying 'application' --- docs/admin/installation/test_the_installation.rst | 2 +- docs/admin/maintenance/rebuild_admin.rst | 4 ++-- docs/admin/migration/admin_migration.rst | 2 +- docs/introduction/securedrop_workstation.rst | 13 ++++++------- docs/introduction/what_is_securedrop.rst | 6 +++--- docs/journalist/sources.rst | 7 +------ 6 files changed, 14 insertions(+), 20 deletions(-) diff --git a/docs/admin/installation/test_the_installation.rst b/docs/admin/installation/test_the_installation.rst index 7a054a30f..e8c63333e 100644 --- a/docs/admin/installation/test_the_installation.rst +++ b/docs/admin/installation/test_the_installation.rst @@ -4,7 +4,7 @@ Test the installation Test Connectivity ----------------- -.. TODO add testing Qubes, testing launching the SecureDrop application, logging in, syncing, test submission, etc. +.. TODO add testing Qubes, testing launching the SecureDrop Inbox, logging in, syncing, test submission, etc. SSH to both servers over Tor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index 19a805e17..c7da13291 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -41,7 +41,7 @@ First, create a new Tails and set up a persistent volume with a strong passphrase. Once persistence has been set up, start up the *Admin Workstation* with -persistence enabled, install the SecureDrop application code, and set up +persistence enabled, install the SecureDrop Inbox code, and set up the KeePassXC database. The *Admin Workstation* uses SSH with key authentication to connect to the servers, @@ -341,7 +341,7 @@ during the next step, you should specify them relative to the Step 5: Configure and back up the *Application Server* ====================================================== -Next, configure the SecureDrop application using the files and info retrieved in the +Next, configure the SecureDrop *Application Server* using the files and info retrieved in the previous steps. To do so, connect to the Tor network on the *Admin Workstation*, open a Terminal and run the following commands: diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index 6c483d07f..54fb8302b 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -132,7 +132,7 @@ SecureDrop Workstation connects to your SecureDrop instance's API via the *Journ Copy SecureDrop login credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -When launching the SecureDrop Application must enter their username, passphrase and two-factor code to connect with the SecureDrop server. You can manage these passphrases using the KeePassXC password manager in the ``vault`` VM. If this laptop will be used by more than one journalist, we recommend that you shut down the ``vault`` VM now (using the Qube widget in the upper right panel), skip this section, and use a smartphone password manager instead. +When launching SecureDrop Inbox must enter their username, passphrase and two-factor code to connect with the SecureDrop server. You can manage these passphrases using the KeePassXC password manager in the ``vault`` VM. If this laptop will be used by more than one journalist, we recommend that you shut down the ``vault`` VM now (using the Qube widget in the upper right panel), skip this section, and use a smartphone password manager instead. In order to set up KeePassXC for easy use: diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index fb9b9dcab..e7be187fd 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -42,10 +42,9 @@ SecureDrop Workstation tightly controls access to the network, in order to prevent the exfiltration of messages, replies, documents, or encryption keys by adversaries. Specifically, the following VMs have no network access: -- ``sd-app``, which runs the SecureDrop Application, and holds decrypted messages, - replies, and documents. -- ``sd-viewer``, which is the template for disposable VMs used for opening - documents from the SecureDrop Application. +- ``sd-app``, which runs SecureDrop Inbox, and holds decrypted messages, + replies, and attachments. +- ``sd-viewer``, which is the template for disposable VMs used for opening and viewing attachments. - ``sd-gpg``, which holds the *Submission Private Key* required to decrypt messages, replies, and documents. - ``sd-devices``, which passes exported documents through to USB devices like @@ -59,7 +58,7 @@ access. If you attempt to directly access the network in any of these VMs, it will not work. That is the expected behavior. -Because the SecureDrop Application must connect to the SecureDrop +Because SecureDrop Inbox must connect to the SecureDrop *Application Server* in order to send or retrieve messages, documents, and replies, it can communicate through Qubes-internal Remote Procedure Calls (RPCs) with another VM, ``sd-proxy``, which can only access the open Internet through @@ -67,7 +66,7 @@ the Tor network. Like all networked VMs, ``sd-proxy`` uses the ``sys-firewall`` service to connect to the network, which is provided via ``sys-net``. All three VMs must be -running for the SecureDrop Application to successfully connect to the server. +running for SecureDrop Inbox to successfully connect to the server. .. important:: @@ -106,7 +105,7 @@ You cannot print from the viewer application, because it does not have access to peripherals. This prevents malware from exfiltrating data (e.g., via attached USB devices), and from targeting hardware-level security vulnerabilities. -You *can* print files directly from the SecureDrop Application by clicking "Print" +You *can* print files directly from SecureDrop Inbox by clicking "Print" for a downloaded file, which will pass the file through to your USB printer without opening it in an interactive viewer application. diff --git a/docs/introduction/what_is_securedrop.rst b/docs/introduction/what_is_securedrop.rst index e24417fc6..7d546ef59 100644 --- a/docs/introduction/what_is_securedrop.rst +++ b/docs/introduction/what_is_securedrop.rst @@ -123,7 +123,7 @@ Finally, SecureDrop Workstation relies on many other open source projects such a Privacy ------- -The SecureDrop application does not record your IP address, information about +The SecureDrop web interface does not record your IP address, information about your browser, computer, or operating system. Furthermore, the SecureDrop pages do not embed third-party content or deliver persistent cookies to your browser. The server will only store the date and time of the newest message sent from @@ -200,10 +200,10 @@ and must be physically located on-site within your organization's premises. The servers connect to the network via a dedicated hardware firewall. -Application environment +SecureDrop Workstations ~~~~~~~~~~~~~~~~~~~~~~~ -The SecureDrop application environment consists of at least one laptop, +The SecureDrop environment consists of at least one laptop, in addition to the servers described above: - *SecureDrop Workstation:* diff --git a/docs/journalist/sources.rst b/docs/journalist/sources.rst index 11e307e2e..6b01cce92 100644 --- a/docs/journalist/sources.rst +++ b/docs/journalist/sources.rst @@ -34,11 +34,6 @@ Journalists sending replies are assigned different colors and identified with their initials. Move your mouse pointer over the initials to reveal the full name. -.. note:: When you are prompted by a dialog that says “Do you allow VM - 'sd-app' to access your GPG keys (now and for the following 28800 - seconds)?”, click **Yes**. This allows the SecureDrop Application VM access - to the secure VM that holds your SecureDrop Submission Key. - Highlighting conversations -------------------------- @@ -66,7 +61,7 @@ Deleting conversations and source accounts As part of routine SecureDrop usage, we recommend that you establish data retention practices consistent with your organization's threat model, data lifecycle and data retention policies. Regularly deleting conversations and source accounts can mitigate risks in the event that your SecureDrop servers or a source's account details are compromised. If you delete messages and files for a source, the source will continue to appear -in the list of sources in the *SecureDrop App*, and they will still be able +in the list of sources in SecureDrop Inbox, and they will still be able to log into the *Source Interface* using their codename. Consider using this option as part of regular deletion of reviewed submissions, especially if you are not sure that all communication with the source has concluded. From 6ad34bbb9ff7705a31f5a921ae1873d5be09fbef Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Sat, 13 Jun 2026 12:27:02 -0400 Subject: [PATCH 07/24] Glossarizing all Application and Monitor Server --- docs/admin/deployment/https_source_interface.rst | 6 +++--- docs/admin/installation/create_admin_account.rst | 2 +- docs/admin/installation/set_up_keepassxc.rst | 4 ++-- docs/admin/maintenance/bios_server.rst | 2 +- docs/admin/maintenance/decommission.rst | 2 +- docs/admin/maintenance/rebuild_admin.rst | 6 +++--- docs/admin/reference/offboarding.rst | 2 +- docs/appendices/threat_model/mitigations.rst | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index 1fac33513..2325e9f8b 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -64,7 +64,7 @@ involves: 4. Generating another CSR, using a custom tool, leveraging the Onion service private key. 5. Submitting the second CSR to DigiCert. (This CSR demonstrates control over the private key for the onion service.) 6. Downloading the certificate from the DigiCert panel. -7. Installing the cert on the SecureDrop Application Server, via ``securedrop-admin``. +7. Installing the cert on the SecureDrop *Application Server*, via ``securedrop-admin``. For SecureDrop, you should perform these steps on the Admin Workstation. Below are detailed steps for use on Tails: @@ -77,7 +77,7 @@ Below are detailed steps for use on Tails: $ openssl req -new -newkey rsa:4096 -nodes -keyout sd.key -out sd.csr That command will generate two files: ``sd.key``, the private key -that will be used by the SecureDrop Application Server; and ``sd.csr``, +that will be used by the SecureDrop *Application Server*; and ``sd.csr``, the certificate signing request (CSR), that will be sent to certificate authority in order to receive a certificate. Upload that CSR to the DigiCert website, to begin the request. @@ -99,7 +99,7 @@ an email with a nonce. Use that value to generate the second CSR: The CSR will be printed to stdout, starting with ``BEGIN CERTIFICATE REQUEST``. Save that CSR, and send it via email reply to DigiCert. After you receive your final certificate, -see instructions below for installing the certificate on the SecureDrop Application Server. +see instructions below for installing the certificate on the SecureDrop *Application Server*. Harica ~~~~~~ diff --git a/docs/admin/installation/create_admin_account.rst b/docs/admin/installation/create_admin_account.rst index abaadb4af..3e5aa2f06 100644 --- a/docs/admin/installation/create_admin_account.rst +++ b/docs/admin/installation/create_admin_account.rst @@ -32,7 +32,7 @@ interface. .. _Create Admin CLI: To create an admin account via the command line, -:doc:`SSH to the Application Server <../installation/test_the_installation>`, +:doc:`SSH to the*Application Server* <../installation/test_the_installation>`, then: .. code:: sh diff --git a/docs/admin/installation/set_up_keepassxc.rst b/docs/admin/installation/set_up_keepassxc.rst index 344e4a143..86d422ad9 100644 --- a/docs/admin/installation/set_up_keepassxc.rst +++ b/docs/admin/installation/set_up_keepassxc.rst @@ -52,9 +52,9 @@ the template are: **Admin**: - Admin account username -- App Server SSH Onion URL +- *Application Server* SSH Onion URL - Email account for sending OSSEC alerts -- Monitor Server SSH Onion URL +- *Monitor Server* SSH Onion URL - Network Firewall Admin Credentials - *OSSEC Alert Public Key* - SecureDrop Login Credentials diff --git a/docs/admin/maintenance/bios_server.rst b/docs/admin/maintenance/bios_server.rst index 4a132edfc..96d47102d 100644 --- a/docs/admin/maintenance/bios_server.rst +++ b/docs/admin/maintenance/bios_server.rst @@ -18,7 +18,7 @@ What you need Perform backups ~~~~~~~~~~~~~~~ -If you are updating the BIOS on an existing SecureDrop system, we recommend you :doc:`back up the Application Server ` before proceeding. +If you are updating the BIOS on an existing SecureDrop system, we recommend you :doc:`back up the *Application Server* ` before proceeding. Prepare the USB drive ~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/admin/maintenance/decommission.rst b/docs/admin/maintenance/decommission.rst index 9c7f10056..50f1e03a3 100644 --- a/docs/admin/maintenance/decommission.rst +++ b/docs/admin/maintenance/decommission.rst @@ -86,7 +86,7 @@ SecureDrop instance. server. You can either leave the server ample time to complete this operation, or - monitor the progress by SSHing to the Application server and running + monitor the progress by SSHing to the *Application Server* and running .. code:: sh diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index c7da13291..52bcf0827 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -11,7 +11,7 @@ backup exists, it is possible to rebuild one. In order to do so, you'll need - 1 replacement *Admin Workstation* USB (USB3 and 16GB or better recommended) The process requires experience with the Linux command line and Tails, and -can take up to 3 hours. If a backup of the SecureDrop application server is available, +can take up to 3 hours. If a backup of the SecureDrop *Application Server* is available, :doc:`reinstalling the instance and restoring the backup ` may be simpler. An outline of the steps involved in rebuilding an *Admin Workstation* is as follows: @@ -353,7 +353,7 @@ The ``sdconfig`` command will prompt you to fill in configuration details about your instance. Use the information retrieved in the previous steps. When prompted whether or not to enable SSH-over-Tor, type **no**. -Next, back up the Application server by running the following command in the terminal: +Next, back up the *Application Server* by running the following command in the terminal: .. code:: sh @@ -460,7 +460,7 @@ We recommend completing the following tasks after the rebuild: You can also selectively remove invalid keys by logging on to the *Application* and *Monitor Servers* and editing the file ``~/.ssh/authorized_keys``, making sure not to remove the public key belonging to your new *Admin Workstation*. - - :doc:`Back up the Application server ` once SSH-over-Tor has + - :doc:`Back up the *Application Server* ` once SSH-over-Tor has been restored. Ensure that server and workstation backups happen regularly. - Provision all other Tails Workstation USBs (*Journalist* and/or *Admin Workstations*) with updated Tor credentials, so that they can access SecureDrop after this rebuild. diff --git a/docs/admin/reference/offboarding.rst b/docs/admin/reference/offboarding.rst index 262e442c0..8c28d88af 100644 --- a/docs/admin/reference/offboarding.rst +++ b/docs/admin/reference/offboarding.rst @@ -106,7 +106,7 @@ the SSH key, you should rotate the key in the following manner. #. Test SSH connection. - Test that you can still ssh into the *Application and Monitor Servers* (you + Test that you can still ssh into the *Application* and *Monitor Servers* (you can test with ``ssh app host`` and ``ssh mon host``). diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index e73ac63eb..04c7ef12b 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -107,7 +107,7 @@ Attacks on the *Application Server* and *Monitor Server* - *Source* or *Journalist Interface* is framed - *Application* or *Monitor Server* is compromised - Attacker exploits postfix -- Known vulnerabilities in the Linux kernel or packages used by app/mon servers +- Known vulnerabilities in the Linux kernel or packages used by the *Application* and *Monitor Servers* Countermeasures on both *Application* and *Monitor Servers* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From dd442609f8d8051c3137a7ee71f15f78d986601d Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Sat, 13 Jun 2026 16:17:55 -0400 Subject: [PATCH 08/24] glossarization mostly done, plus a few related edits --- .../admin/deployment/deployment_practices.rst | 6 +- .../getting_the_most_out_of_securedrop.rst | 16 ++-- .../deployment/https_source_interface.rst | 42 +++++----- docs/admin/deployment/landing_page.rst | 30 ++++---- docs/admin/deployment/onboard_journalists.rst | 14 ++-- docs/admin/deployment/onion_name.rst | 22 +++--- docs/admin/deployment/ssh_over_local_net.rst | 2 +- docs/admin/deployment/tor_pow.rst | 12 +-- docs/admin/deployment/whole_site_changes.rst | 6 +- docs/admin/deployment/yubikey_setup.rst | 4 +- docs/admin/installation/apply_sdw.rst | 2 +- .../installation/create_admin_account.rst | 12 ++- docs/admin/installation/email_alerts.rst | 12 +-- docs/admin/installation/firewall_opnsense.rst | 8 +- .../installation/generate_submission_key.rst | 4 +- docs/admin/installation/hardware.rst | 12 +-- docs/admin/installation/install.rst | 8 +- .../installation/installation_overview.rst | 8 +- docs/admin/installation/intro_for_admins.rst | 14 ++-- docs/admin/installation/passphrases.rst | 36 ++++----- docs/admin/installation/prepare_sdw.rst | 4 +- docs/admin/installation/prepare_servers.rst | 2 +- .../installation/test_the_installation.rst | 10 +-- docs/admin/maintenance/backup_and_restore.rst | 12 +-- docs/admin/maintenance/decommission.rst | 12 +-- .../maintenance/kernel_troubleshooting.rst | 2 +- docs/admin/maintenance/logging.rst | 2 +- docs/admin/maintenance/rebuild_admin.rst | 4 +- .../troubleshooting_connection.rst | 2 +- docs/admin/migration/admin_migration.rst | 40 +++++----- docs/admin/reference/admin_interface.rst | 77 +++++++++---------- docs/admin/reference/offboarding.rst | 18 ++--- docs/admin/reference/ossec_alerts.rst | 2 +- docs/admin/reference/securedrop_admin.rst | 8 +- docs/admin/reference/ssh_access.rst | 4 +- .../managing_clipboard.rst | 4 +- .../workstation_reference/reviewing_logs.rst | 2 +- docs/appendices/glossary.rst | 28 +++---- docs/appendices/threat_model/mitigations.rst | 62 +++++++-------- docs/includes/backup-and-update-reminders.txt | 2 +- docs/includes/tor-security-setting.txt | 2 +- docs/introduction/securedrop_workstation.rst | 14 ++-- docs/introduction/what_is_securedrop.rst | 6 +- docs/journalist/journalist.rst | 18 ++--- docs/journalist/sources.rst | 4 +- docs/journalist/starting_client.rst | 10 +-- docs/journalist/submissions.rst | 8 +- docs/source/after_you_submit.rst | 6 +- docs/source/before_you_submit.rst | 12 +-- docs/source/how_to_submit.rst | 10 +-- docs/source/source.rst | 12 +-- 51 files changed, 332 insertions(+), 337 deletions(-) diff --git a/docs/admin/deployment/deployment_practices.rst b/docs/admin/deployment/deployment_practices.rst index 7e96a0ba2..85e5ee4c6 100644 --- a/docs/admin/deployment/deployment_practices.rst +++ b/docs/admin/deployment/deployment_practices.rst @@ -5,14 +5,14 @@ Deployment overview Once SecureDrop is installed on a news organization's servers, it's important for the administrator to configure it in a way that provides the greatest -protection for sources and journalists, given the unique needs and constraints +protection for *Sources* and *Journalists*, given the unique needs and constraints of the organization. The deployment section here covers a variety of tasks an administrator might need to perform to successfully deploy SecureDrop, depending on organizational needs and requirements. -Certain topics, such as creating a landing page and onboarding journalists, are +Certain topics, such as creating a landing page and onboarding *Journalists*, are universal to all SecureDrop instances. Other topics are optional, and are only needed if they fit in with the organization's security policies and newsroom workflows. @@ -25,7 +25,7 @@ Protecting the security of the system ===================================== SecureDrop is only as secure as the environment that surrounds it. To keep -sources safe, the news organization's website, physical space, and dedicated +*Sources* safe, the news organization's website, physical space, and dedicated SecureDrop hardware must employ a set of basic security best practices or risk losing any source protection provided by SecureDrop. diff --git a/docs/admin/deployment/getting_the_most_out_of_securedrop.rst b/docs/admin/deployment/getting_the_most_out_of_securedrop.rst index 07ca577a5..c7ac04063 100644 --- a/docs/admin/deployment/getting_the_most_out_of_securedrop.rst +++ b/docs/admin/deployment/getting_the_most_out_of_securedrop.rst @@ -3,7 +3,7 @@ Promoting your SecureDrop instance At Freedom of the Press Foundation, we've found news organizations that get the most out of SecureDrop are those who promote it regularly and effectively. -SecureDrop will only be used by sources if they know it exists, so it's best +SecureDrop will only be used by *Sources* if they know it exists, so it's best to promote its use in a variety of ways so that a wide swath of people will see it. @@ -14,13 +14,13 @@ Make a high profile announcement -------------------------------- Anytime you launch a SecureDrop, you'll want to write an accompanying news story -along with it to alert your readers and potential sources where to submit +along with it to alert your readers and potential *Sources* where to submit information. Almost every news organization already does this, but some good recent examples come from `USA Today`_, `The Guardian`_, and `Wired`_. You can also write a companion Q & A like the `Washington Post`_ did. However, a launch announcement is really just a small piece of the puzzle. It's -important to regularly remind readers and potential sources that your SecureDrop +important to regularly remind readers and potential *Sources* that your SecureDrop exists, because only a tiny fraction will likely see the launch announcement and it will quickly be buried in other news after a couple of days. @@ -33,7 +33,7 @@ Provide a clear link on your homepage ------------------------------------- Making your SecureDrop or secure tips page easy to find is one of the most important -things you can do to ensure that potential sources use it. The best way you can do +things you can do to ensure that potential *Sources* use it. The best way you can do this is providing a clear link on your home page, so that every time a user goes to your website, they can quickly see where they need to go. @@ -51,7 +51,7 @@ that this is not as effective as putting it in a more prominent on your front pa Provide links at the bottom of your articles -------------------------------------------- -Another great way to remind potential sources know that they can use SecureDrop is +Another great way to remind potential *Sources* know that they can use SecureDrop is to put a link at the bottom of each article. For example, Gizmodo Media Group, uses a message like this: @@ -60,7 +60,7 @@ uses a message like this: Create an instructional video on how to access and use your SecureDrop ---------------------------------------------------------------------- -To better help potential sources visualize how SecureDrop works, several +To better help potential *Sources* visualize how SecureDrop works, several organizations have made short instructional videos walking through all the steps. Some good examples include the `Toronto Globe and Mail`_, The Intercept, and `Lucy Parsons Labs`_. @@ -74,7 +74,7 @@ Regularly share your SecureDrop *Landing Page* on social media The majority of adults in the United States now get their news from Facebook or other social media sites like Twitter, so it's important to regularly remind people via social media posts that SecureDrop is the safest way they can contact -your journalists if they have a sensitive tip to share. If there's specific +your *Journalists* if they have a sensitive tip to share. If there's specific stories you are looking for tips on that may already be in the news, this is a great way of getting added attention to your SecureDrop. @@ -107,7 +107,7 @@ launched SecureDrop and other secure communications tools for their tips line: |New York Times Tweet| And the Toronto Globe and Mail regularly puts a note in their physical paper -reminding potential sources where they can go: +reminding potential *Sources* where they can go: |Globe and Mail Tweet| diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index 2325e9f8b..1ac9a2903 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -3,8 +3,8 @@ HTTPS on the *Source Interface* .. TODO update this page for Qubes -The SecureDrop *Source Interface* is served as an onion service with an ``.onion`` -URL, requiring Tor Browser to access it. While onion services provide +The SecureDrop *Source Interface* is served as an *Onion Service* with an ``.onion`` +URL, requiring Tor Browser to access it. While *Onion Services* provide end-to-end encryption by default, as well as strong anonymity, there are several reasons why you might want to consider deploying an additional layer of encryption and authentication via HTTPS: @@ -13,13 +13,13 @@ encryption and authentication via HTTPS: certificates that may be issued for ``*.onion`` addresses, are intended to attest to the identity of the organization running a service. This provides an additional measure of authenticity (in addition to the organization's - *Landing Page* and the `SecureDrop Directory`_) to help assure sources that + *Landing Page* and the `SecureDrop Directory`_) to help assure *Sources* that they are communicating with the intended organization when they access a - given Source Interface. + given *Source Interface*. -* SecureDrop supports v3 onion services, which use updated cryptographic +* SecureDrop supports v3 *Onion Services*, which use updated cryptographic primitives that provide better transport-layer encryption than those used - by v2 onion services. Using HTTPS on the source interface will provide + by v2 *Onion Services*. Using HTTPS on the *Source Interface* will provide an extra layer of encryption for data in transit. .. _`SecureDrop Directory`: https://securedrop.org/directory/ @@ -42,18 +42,18 @@ certificate icon beside the URL bar: |HTTPS Onion cert| Additional information about the organization, such as name and geographic -location, are checked by the CA during the EV process. A Source can use this +location, are checked by the CA during the EV process. A *Source* can use this information to confirm the authenticity of a SecureDrop instance, beyond the verification already available in the `SecureDrop Directory`_. In order to obtain an HTTPS certificate for your SecureDrop instance, `contact DigiCert directly`_. As part of the Extended Validation, you will be required both to confirm your affiliation with the organization, -and to demonstrate control over the Onion URL for your Source Interface. +and to demonstrate control over the Onion URL for your *Source* Interface. -In order for you to demonstrate control over the Onion URL for your Source +In order for you to demonstrate control over the Onion URL for your *Source* Interface, you will need to perform a signing operation leveraging the -private key of the Onion service used on the Source Interface. +private key of the *Onion Service* used on the *Source* Interface. DigiCert will provide you with some text and request that you use that text in a signing operation. At a high level, obtaining a certificate from DigiCert involves: @@ -61,7 +61,7 @@ involves: 1. Generating an HTTPS keypair and CSR via ``openssl``. 2. Submitting the CSR to DigiCert. (This CSR demonstrates control over the private key used for HTTPS.) 3. Scheduling a phone call and verifying your relationship to the organization. -4. Generating another CSR, using a custom tool, leveraging the Onion service private key. +4. Generating another CSR, using a custom tool, leveraging the *Onion Service* private key. 5. Submitting the second CSR to DigiCert. (This CSR demonstrates control over the private key for the onion service.) 6. Downloading the certificate from the DigiCert panel. 7. Installing the cert on the SecureDrop *Application Server*, via ``securedrop-admin``. @@ -89,7 +89,7 @@ an email with a nonce. Use that value to generate the second CSR: # On the Admin Workstation, generate the second CSR $ source /usr/share/securedrop-admin/venv/bin/activate $ torify pip install onionmaker - # Copy the Onion service key material to the Admin Workstation: + # Copy the *Onion Service* key material to the Admin Workstation: $ mkdir hsdir $ ssh app sudo cat /var/lib/tor/services/sourcev3/hostname > hsdir/hostname $ ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_public_key > hsdir/hs_ed25519_public_key @@ -105,7 +105,7 @@ Harica ~~~~~~ The Greek CA `Harica`_ is now providing Domain Validation (DV) certificates for ``.onion`` addresses. DV certificates are less useful for authentication purposes, -but may still be used to provide another layer of encryption for source traffic. +but may still be used to provide another layer of encryption for *Source* traffic. The commands provide detail on how to obtain a DV certificate from Harica on the Admin Workstation: @@ -144,7 +144,7 @@ Activating HTTPS in SecureDrop Make sure you have :doc:`installed SecureDrop already `. -Make note of the Source Interface Onion URL. Now from a Terminal +Make note of the *Source Interface* Onion URL. Now from a Terminal on your *Admin Workstation*: .. code:: sh @@ -153,10 +153,10 @@ on your *Admin Workstation*: This command will prompt you for the following information:: - Whether HTTPS should be enabled on Source Interface (requires EV cert): yes - Local filepath to HTTPS certificate (optional, only if using HTTPS on source interface): sd.crt - Local filepath to HTTPS certificate key (optional, only if using HTTPS on source interface): sd.key - Local filepath to HTTPS certificate chain file (optional, only if using HTTPS on source interface): ca.crt + Whether HTTPS should be enabled on *Source Interface* (requires EV cert): yes + Local filepath to HTTPS certificate (optional, only if using HTTPS on *Source Interface*): sd.crt + Local filepath to HTTPS certificate key (optional, only if using HTTPS on *Source Interface*): sd.key + Local filepath to HTTPS certificate chain file (optional, only if using HTTPS on *Source Interface*): ca.crt The filenames should match the names of the files provided to you by DigiCert, and should be saved inside the ``~/.config/securedrop-admin`` directory. You'll @@ -165,15 +165,15 @@ rerun the configuration scripts: :: securedrop-admin install The webserver configuration will be updated to apply the HTTPS settings. -Confirm that you can access the Source Interface at +Confirm that you can access the *Source Interface* at ``https://.onion``, and also that the HTTP URL ``http://.onion`` redirects automatically to HTTPS. .. note:: By default, Tor Browser will send an OCSP request to a Certificate - Authority (CA) to check if the Source Interface certificate has been revoked. + Authority (CA) to check if the *Source Interface* certificate has been revoked. Fortunately, this occurs through Tor. However, this means that a CA or anyone along the path can learn the time that a Tor user visited the SecureDrop - Source Interface. Future versions of SecureDrop will add OCSP stapling support + *Source Interface*. Future versions of SecureDrop will add OCSP stapling support to remove this request. See `OCSP discussion`_ for the full discussion. .. _`OCSP discussion`: https://github.com/freedomofpress/securedrop/issues/1941 diff --git a/docs/admin/deployment/landing_page.rst b/docs/admin/deployment/landing_page.rst index 638a7d71f..c7d70fa14 100644 --- a/docs/admin/deployment/landing_page.rst +++ b/docs/admin/deployment/landing_page.rst @@ -3,11 +3,11 @@ *Landing Page* ============== -SecureDrop itself runs as a Tor Onion Service. Organizations also need to +SecureDrop itself runs as a Tor *Onion Service*. Organizations also need to create a SecureDrop *Landing Page* that will: * explain how SecureDrop works -* give sources instructions on how to access the Tor Onion Service +* give *Sources* instructions on how to access the Tor *Onion Service* * disclose the risks of accessing the SecureDrop instance or submitting documents We also recommend including a privacy policy (see our :ref:`Sample @@ -17,7 +17,7 @@ your organization. .. note:: SecureDrop will bring more attention to your organization from security researchers and others. A *Landing Page* that fails to implement minimum security requirements is sure to be noticed, and - could undermine trust, discouraging possible sources. + could undermine trust, discouraging possible Sources. *Landing Page* content suggestions ---------------------------------- @@ -111,7 +111,7 @@ requirements below, then `send us a request using this form. `__ There are several benefits to being included in the SecureDrop directory. The -most significant benefit is that it will be easier for potential sources to +most significant benefit is that it will be easier for potential *Sources* to find your SecureDrop instance. Additionally, being included in the directory makes you eligible for :doc:`an onion name. ` This improves the experience by turning a lengthy, non-descriptive address @@ -162,7 +162,7 @@ HTTPS only (no mixed content) ----------------------------- HTTPS encryption is the number-one security requirement for your site's -SecureDrop *Landing Page*. Without HTTPS, a source can easily be exposed as a +SecureDrop *Landing Page*. Without HTTPS, a *Source* can easily be exposed as a visitor to your site. This may be difficult if your website serves advertisements or utilizes @@ -221,7 +221,7 @@ signature: **Don't load any resources (scripts, web fonts, etc.) from third parties (e.g. Google Web Fonts)** -This will potentially leak information about sources to third parties, +This will potentially leak information about *Sources* to third parties, which can more easily be accessed by law enforcement agencies. Simply copy them to your server and serve them yourself to avoid this problem. @@ -235,15 +235,15 @@ for the SecureDrop *Landing Page*. In the past, some news organizations were heavily criticized when launching their SecureDrop instances because their *Landing Page* contained trackers. They claimed they were going to great lengths to protect -sources' anonymity, but by having trackers on their *Landing Page*, this also +*Sources*' anonymity, but by having trackers on their *Landing Page*, this also opened up multiple avenues for third parties to collect information on -those sources. This information can potentially be accessed by law -enforcement or intelligence agencies and could unduly expose a source. +those *Sources*. This information can potentially be accessed by law +enforcement or intelligence agencies and could unduly expose a *Source*. Similarly, consider avoiding Cloudflare (and other CDNs like Akamai, StackPath, Incapsula, Amazon CloudFront, etc.) for the SecureDrop *Landing Page*. These -services intercept requests between a potential source and the SecureDrop -*Landing Page* and can be used to `track`_ or collect information on sources. +services intercept requests between a potential *Source* and the SecureDrop +*Landing Page* and can be used to `track`_ or collect information on *Sources*. .. warning:: This is a strict requirement for inclusion in the SecureDrop Directory @@ -284,7 +284,7 @@ if a visitor visits these links without using Tor Browser, this generates traffic that an adversary may be able to use to identify SecureDrop-related behavior, regardless of the use of HTTPS. -We suggest offering a reference to the SecureDrop Onion Service in +We suggest offering a reference to the SecureDrop *Onion Service* in plain text, without a hyperlink (as per the preceding section): **sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion** @@ -443,7 +443,7 @@ Further security considerations ------------------------------- To guard your *Landing Page* against being modified by an attacker and -directing sources to a rogue SecureDrop instance, you will need good +directing *Sources* to a rogue SecureDrop instance, you will need good security practices applying to the machine where it is hosted. Whether it's a VPS in the cloud or dedicated server in your office, you should consider the following: @@ -457,7 +457,7 @@ consider the following: - Intrusion and/or integrity monitoring (see Logwatch, OSSEC, Snort, rkhunter, chkrootkit) - Downtime alerts (Nagios or Pingdom) -- Two-factor authentication (see libpam-google-authenticator, +- *Two-Factor Authentication* (see libpam-google-authenticator, libpam-yubico) It's preferable for the *Landing Page* to have its own segmented @@ -483,7 +483,7 @@ or may be unable to load the page altogether because of Tor-specific DDoS protections. The effect of such measures cannot be tested without using Tor, and it is -a very bad experience for a *source* if visiting a *Landing Page* doesn't work +a very bad experience for a *Source* if visiting a *Landing Page* doesn't work as expected. Because of that, we **recommended strongly** that you test your organization's *Landing Page* using Tor *before* you start advertising it. diff --git a/docs/admin/deployment/onboard_journalists.rst b/docs/admin/deployment/onboard_journalists.rst index b3526c16e..6ed69e1fa 100644 --- a/docs/admin/deployment/onboard_journalists.rst +++ b/docs/admin/deployment/onboard_journalists.rst @@ -1,9 +1,9 @@ -Onboard journalists -=================== +Onboard *Journalists* +===================== At this point, the only person who has access to the system is the -admin. In order to grant access to journalists, you will need -to do some additional setup for each individual journalist. +admin. In order to grant access to *Journalists*, you will need +to do some additional setup for each individual *Journalist*. Provision *Journalist Workstation* ------------------------------------------- @@ -13,14 +13,14 @@ Provision *Journalist Workstation* Add an account on the *Journalist Interface* -------------------------------------------- -Finally, you need to add an account on the *Journalist Interface* so the journalist +Finally, you need to add an account on the *Journalist Interface* so the *Journalist* can log in and access submissions. .. include:: /admin/reference/admin_interface.rst :start-after: .. _Adding Users: :end-before: .. _Passphrases_and_two-factor_resets: -Verify journalist setup ------------------------ +Verify *Journalist* setup +------------------------- .. TODO diff --git a/docs/admin/deployment/onion_name.rst b/docs/admin/deployment/onion_name.rst index 564f38ec6..91136f0aa 100644 --- a/docs/admin/deployment/onion_name.rst +++ b/docs/admin/deployment/onion_name.rst @@ -5,7 +5,7 @@ What are onion names? ^^^^^^^^^^^^^^^^^^^^^ Onion names are short, memorable addresses that visitors can use to access an -onion service (e.g., a news organization's SecureDrop) using Tor Browser. +*Onion Service* (e.g., a news organization's SecureDrop) using Tor Browser. Imagine a SecureDrop instance for a new organization called *The New York World* with a .onion address like this: @@ -45,7 +45,7 @@ Getting An onion name Freedom of the Press Foundation maintains onion names for SecureDrop instances which: -* are using v3 onion services +* are using v3 *Onion Services* * are part of the SecureDrop Directory We will generally approve onion names that meaningfully correspond to your name @@ -56,7 +56,7 @@ country code (e.g. ``..securedrop.tor.onion``). If your SecureDrop instance is not part of the directory yet, you can :ref:`begin the process here`. In order to be eligible for inclusion, your SecureDrop and its associated clearnet -landing page must be set up consistent with the best practices recommended +*Landing Page* must be set up consistent with the best practices recommended in our documentation. If you are already part of the SecureDrop directory and would like an @@ -67,10 +67,10 @@ Does This Replace the original address? No, the onion name is only a human-friendly name for the full-length address. The original v3 address can continue to be used like normal, this just gives -sources an easier to remember option for accessing your SecureDrop. +*Sources* an easier to remember option for accessing your SecureDrop. We recommend that you list both the onion name and the full v3 address on your -landing page. This allows sources to verify both addresses against the +*Landing Page*. This allows *Sources* to verify both addresses against the information included in our directory, and also provides a fallback should the onion name fail to load for any reason. @@ -80,10 +80,10 @@ names, which is also generally our security recommendation. Updating an onion name ^^^^^^^^^^^^^^^^^^^^^^ -If you wish to change or retire your Onion Name, please reach out to the -SecureDrop Team. In the event that you wish to completely retire your +If you wish to change or retire your onion name, please reach out to the +SecureDrop team. In the event that you wish to completely retire your SecureDrop instance, we recommend that you contact us ahead of time if -possible, so we can schedule the Onion Name update on the same day. +possible, so we can schedule the onion name update on the same day. In any event, we will attempt to respond to any update request within 2 business days. @@ -98,10 +98,10 @@ reasons including but not limited to: * an instance is stuck on an old software version, and can no longer be considered secure; * an instance is unreachable for extended periods of time; -* the configuration of an instance or the associated landing page +* the configuration of an instance or the associated *Landing Page* differs substantially from our security recommendations in a manner - that may put sources at risk. + that may put *Sources* at risk. Unless the removal is an emergency, we will attempt to offer a substantial grace period prior to the revocation of an onion name, to ensure you can inform -your sources about the change to your .onion address. +your *Sources* about the change to your .onion address. diff --git a/docs/admin/deployment/ssh_over_local_net.rst b/docs/admin/deployment/ssh_over_local_net.rst index 9d818364c..67c371935 100644 --- a/docs/admin/deployment/ssh_over_local_net.rst +++ b/docs/admin/deployment/ssh_over_local_net.rst @@ -33,7 +33,7 @@ Configuring SSH for local access .. warning:: It is important that your firewall is configured adequately if you decide you need SSH over the local network. The install process locks down access as much as possible with net restrictions, SSH keys, and - two-factor authentication. However, you could still leave the interface + *Two-Factor Authentication*. However, you could still leave the interface exposed to unintended users if you did not properly follow our network firewall guide. diff --git a/docs/admin/deployment/tor_pow.rst b/docs/admin/deployment/tor_pow.rst index f51dbbdbf..dfc4bab52 100644 --- a/docs/admin/deployment/tor_pow.rst +++ b/docs/admin/deployment/tor_pow.rst @@ -1,20 +1,20 @@ Tor proof-of-work defense on the *Source Interface* =================================================== -The SecureDrop *Source Interface* is served as an onion service with an +The SecureDrop *Source Interface* is served as an *Onion Service* with an ``.onion`` URL, requiring Tor Browser to access it over the Tor network. Tor is sometimes targeted for denial-of-service (DoS) attacks that can `slow down the Tor network as a whole `_ -as well as burden individual onion services, including SecureDrops. +as well as burden individual *Onion Services*, including SecureDrops. Tor now includes a `proof-of-work (PoW) defense `_ -against denial-of-service attacks that can be turned on for individual onion -services. As of SecureDrop 2.9.0, new SecureDrops have this feature enabled by +against denial-of-service attacks that can be turned on for individual *Onion +Services*. As of SecureDrop 2.9.0, new SecureDrops have this feature enabled by default, and we encourage all SecureDrop administrators to turn it on for their instances. While this measure can't speed up the Tor network as a whole if it's slow, it can protect your SecureDrop from being attacked specifically; and more -onion services running with this feature helps improve the resilience of the Tor +*Onion Services* running with this feature helps improve the resilience of the Tor network. @@ -43,7 +43,7 @@ prompts, rerun the installation script:: securedrop-admin install The Tor configuration will be updated to enable the proof-of-work defense. When -the script finishes, confirm that you can access the Source Interface. +the script finishes, confirm that you can access the *Source Interface*. .. _disable_tor_pow: diff --git a/docs/admin/deployment/whole_site_changes.rst b/docs/admin/deployment/whole_site_changes.rst index b22764b07..a32c5d29f 100644 --- a/docs/admin/deployment/whole_site_changes.rst +++ b/docs/admin/deployment/whole_site_changes.rst @@ -26,8 +26,8 @@ analysis. Suggested --------- -- For publicly advertised SecureDrop instances display the Source - Interface's Onion Service onion address on all of the organization +- For publicly advertised SecureDrop instances display the *Source + Interface*'s *Onion Service* onion address on all of the organization public pages. -- Mirror Tor Browser and Tails so sources do not have to +- Mirror Tor Browser and Tails so *Sources* do not have to visit `torproject.org `__ to download it. diff --git a/docs/admin/deployment/yubikey_setup.rst b/docs/admin/deployment/yubikey_setup.rst index c23c1c23f..c396c9461 100644 --- a/docs/admin/deployment/yubikey_setup.rst +++ b/docs/admin/deployment/yubikey_setup.rst @@ -3,7 +3,7 @@ Using a YubiKey with the *Journalist Interface* This guide describes in detail how to set up a YubiKey for two-factor authentication on the *Journalist Interface*. This setup is performed -once per journalist to create a secure log-in method. The process +once per *Journalist* to create a secure log-in method. The process requires some configuration steps using a separate software tool. .. note:: You will do all of these steps from within the Tails @@ -12,7 +12,7 @@ requires some configuration steps using a separate software tool. What is a YubiKey? ------------------ -A YubiKey is a physical token used for two-factor authentication. They +A YubiKey is a physical token used for *Two-Factor Authentication*. They are made by a company called Yubico and are `commercially available`_. Note that not all physical tokens are compatible with the YubiKey Personalization Tool; for this, you require `a key that can support OATH-HOTP`_. diff --git a/docs/admin/installation/apply_sdw.rst b/docs/admin/installation/apply_sdw.rst index 3ac6f95c4..cb557d775 100644 --- a/docs/admin/installation/apply_sdw.rst +++ b/docs/admin/installation/apply_sdw.rst @@ -29,7 +29,7 @@ The preflight updater will start automatically after logging into the system. Pl If you close SecureDrop Inbox during your session, you can launch it again using the SecureDrop icon on the desktop. -Once the update check is complete, the SecureDrop Client will launch. Log in using an existing journalist account and verify that sources are listed and submissions can be downloaded, decrypted, and viewed. +Once the update check is complete, the SecureDrop Client will launch. Log in using an existing journalist account and verify that *Sources* are listed and submissions can be downloaded, decrypted, and viewed. .. _Password Management Section: diff --git a/docs/admin/installation/create_admin_account.rst b/docs/admin/installation/create_admin_account.rst index 3e5aa2f06..499db9dde 100644 --- a/docs/admin/installation/create_admin_account.rst +++ b/docs/admin/installation/create_admin_account.rst @@ -1,7 +1,7 @@ Create an admin account on the *Journalist Interface* ===================================================== -In order for any user (admin or journalist) to access the +In order for any user (admin or *Journalist*) to access the *Journalist Interface*, they need: 1. The ``auth-cookie`` for the *Journalist Interface*'s ATHS @@ -10,14 +10,14 @@ In order for any user (admin or journalist) to access the * Username * Passphrase - * Two-factor authentication code + * *Two-Factor Authentication* code You should create a separate account on the *Journalist Interface* for each user who needs access. This makes it easy to enable or disable access to the *Journalist Interface* on an individual basis, so you can grant access to new users or revoke access for users who have left the -organization or should no longer be allowed to access the Journalist -Interface. +organization or should no longer be allowed to access the *Journalist +Interface*. There are two types of accounts on the *Journalist Interface*: admin accounts and normal accounts. Admins accounts are like normal @@ -25,9 +25,7 @@ accounts, but they are additionally allowed to manage (add, change, delete) other user accounts through the web interface. You must create the first admin account on the *Journalist Interface* by -running a command on the *Application Server*. After that, the Journalist -Interface admin can create additional accounts through the web -interface. +running a command on the *Application Server*. After that, the admin can create additional accounts through the web-based *Journalist Interface*. .. _Create Admin CLI: diff --git a/docs/admin/installation/email_alerts.rst b/docs/admin/installation/email_alerts.rst index 2f2ee0175..ff728fa4f 100644 --- a/docs/admin/installation/email_alerts.rst +++ b/docs/admin/installation/email_alerts.rst @@ -8,9 +8,9 @@ SecureDrop sends different alerts by PGP-encrypted email. Before installing Secu Optional: daily journalist alerts ------------------------------------------- -When a SecureDrop has little activity and receives only a few submissions every other week, checking daily only to find there is nothing is a burden. It is more convenient for journalists to be notified daily via encrypted email about whether or not there has been submission activity in the past 24 hours. +When a SecureDrop has little activity and receives only a few submissions every other week, checking daily only to find there is nothing is a burden. It is more convenient for *Journalists* to be notified daily via encrypted email about whether or not there has been submission activity in the past 24 hours. -If the email shows submissions were received, the journalist can check their *Journalist Workstation*. +If the email shows submissions were received, the *Journalist* can check their *Journalist Workstation*. .. note:: @@ -18,10 +18,10 @@ If the email shows submissions were received, the journalist can check their *Jo of whether there are new submissions or not. The notification is sent after the daily reboot of the *Application Server*. The subject of the email will always be "Submissions in the past 24h". To find out whether there were - submissions or not, a journalist must decrypt the contents of the email. + submissions or not, a *Journalist* must decrypt the contents of the email. -In the simplest case a journalist will provides their email and GPG public key to -you, the admin. If a team of journalist wants to receive these daily alerts, they +In the simplest case a *Journalist* will provides their email and GPG public key to +you, the admin. If a team of *Journalist* wants to receive these daily alerts, they should share a GPG key and ask the admin to setup a mail alias (SecureDrop does not provide that service) so they all receive the alerts and are able to decrypt them. @@ -30,7 +30,7 @@ It is not possible to specify multiple email addresses for email notifications. If you wish to enable this, you will need: -- the email address that will receive the journalist alerts +- the email address that will receive the *Journalist* alerts - the *Journalist Alert Public Key* - the *Journalist Alert Public Key* fingerprint diff --git a/docs/admin/installation/firewall_opnsense.rst b/docs/admin/installation/firewall_opnsense.rst index 5176aad4a..e372820a4 100644 --- a/docs/admin/installation/firewall_opnsense.rst +++ b/docs/admin/installation/firewall_opnsense.rst @@ -133,7 +133,7 @@ Set a strong password Navigate to **System ▸ Access ▸ Users** and click the edit button for the ``root`` user. On the subsequent page, set a strong admin password. We recommend generating a strong passphrase with KeePassXC and saving it in the Tails Persistent folder using -the provided KeePassXC database template. Two-factor authentication will be enabled +the provided KeePassXC database template. *Two-Factor Authentication* will be enabled in a later step. Set alternate hostnames @@ -238,10 +238,10 @@ to apply several updates in a row to get to the latest version. |OPNSense - no updates| -Enable two-factor authentication -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable *Two-Factor Authentication* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -OPNSense supports two-factor authentication (2FA) via mobile apps such as Google Authenticator +OPNSense supports *Two-Factor Authentication* (2FA) via mobile apps such as Google Authenticator or FreeOTP. To set it up, first make sure you have a mobile device available with your choice of 2FA app. diff --git a/docs/admin/installation/generate_submission_key.rst b/docs/admin/installation/generate_submission_key.rst index c72beb64e..1480148a2 100644 --- a/docs/admin/installation/generate_submission_key.rst +++ b/docs/admin/installation/generate_submission_key.rst @@ -3,7 +3,7 @@ Generate the *Submission Key* .. These instructions will be replaced with whatever mechanism the all-on-Qubes SecureDrop Workstation uses to generate the submission key. -When a document or message is submitted to SecureDrop by a source, it is +When a document or message is submitted to SecureDrop by a *Source*, it is automatically encrypted with the *Submission Key*. The private part of this key is only stored on the *Secure Viewing Station* which is never connected to the Internet. SecureDrop submissions can only be decrypted and @@ -58,7 +58,7 @@ Export the *Submission Public Key* Navigate to **Apps ▸ Accessories ▸ Kleopatra** to open a graphical interface to manage GPG keys. Once Kleopatra opens you will find -a list of keys, including the SecureDrop Submission Key you just created. +a list of keys, including the SecureDrop *Submission Key* you just created. Click to select the key, then click the "Export…" button in the toolbar above. diff --git a/docs/admin/installation/hardware.rst b/docs/admin/installation/hardware.rst index 97b778294..9b1b4d526 100644 --- a/docs/admin/installation/hardware.rst +++ b/docs/admin/installation/hardware.rst @@ -34,7 +34,7 @@ Additionally, you may want to consider the following purchases: * an external hard drive for server backups. * a USB drive to store backups of your *SecureDrop Workstation*. * a security key for HOTP authentication, such as a YubiKey, if you want to - use hardware-based two-factor authentication instead of a mobile app. + use hardware-based *Two-Factor Authentication* instead of a mobile app. * a USB drive with a physical write protection switch, or a USB write blocker, if you want to mitigate the risk of introducing malware from your network to your *SecureDrop Workstation* during repeated use of an *Export Device*. @@ -126,7 +126,7 @@ organization for both technical and legal reasons: the context of SecureDrop, this means that the provider could access extremely sensitive information, such as the plaintext of submissions or the encryption keys used to identify and access - the onion services. + the *Onion Services*. * In addition, attackers with legal authority such as law enforcement agencies may (depending on the jurisdiction) be able @@ -344,9 +344,9 @@ to :doc:`configure an existing hardware firewall `. Two-factor device ^^^^^^^^^^^^^^^^^ -Two-factor authentication is used when connecting to different parts of the -SecureDrop system. Each admin and each journalist needs a two-factor -device. We currently support two options for two-factor authentication: +*Two-Factor Authentication* is used when connecting to different parts of the +SecureDrop system. Each admin and each *Journalist* needs a two-factor +device. We currently support two options for *Two-Factor Authentication*: * Your existing smartphone with an app that computes TOTP codes (e.g. FreeOTP `for Android `__ and `for iOS `__). @@ -358,7 +358,7 @@ device. We currently support two options for two-factor authentication: USB drives ^^^^^^^^^^ -Journalists need physical media (known as the +*Journalists* need physical media (known as the *Export Device*) to copy submissions to their everyday workstation. Our standard recommendation is to use USB drives, in combination with diff --git a/docs/admin/installation/install.rst b/docs/admin/installation/install.rst index bf1758512..70ec0a2c6 100644 --- a/docs/admin/installation/install.rst +++ b/docs/admin/installation/install.rst @@ -117,7 +117,7 @@ During the installation you will be given the opportunity to choose from a list of supported languages to display using the codes shown in parentheses. -.. note:: With a *Source Interface* displayed in French (for example), sources +.. note:: With a *Source Interface* displayed in French (for example), *Sources* submitting documents are likely to expect a journalist fluent in French to be available to read the documents and follow up in that language. @@ -286,12 +286,12 @@ an email to securedrop@freedom.press. .. _`Source Offer`: https://github.com/freedomofpress/securedrop/blob/develop/SOURCE_OFFER Once the installation is complete, addresses and credentials for each -onion service will be available in the following files under +*Onion Service* will be available in the following files under ``~/.config/securedrop-admin``: -V3 onion services ------------------ +V3 *Onion Services* +------------------- - ``app-sourcev3-ths`` contains the v3 ``.onion`` address of the *Source Interface*. diff --git a/docs/admin/installation/installation_overview.rst b/docs/admin/installation/installation_overview.rst index f3a951f8d..7a056d5f7 100644 --- a/docs/admin/installation/installation_overview.rst +++ b/docs/admin/installation/installation_overview.rst @@ -9,7 +9,7 @@ If you are migrating from an older Tails-based SecureDrop, using the separate *S Setting expectations -------------------- -SecureDrop is a technical tool. It is designed to protect journalists and sources, but no tool can guarantee safety. This guide will instruct you in installing and configuring SecureDrop, but it does not explain how to use it safely and effectively. Put another way: at the end of this guide, you will have built a car; you will not know how to drive. The :ref:`Deployment Guide ` contains best practices for working with SecureDrop. Make sure to read it after completing the installation. +SecureDrop is a technical tool. It is designed to protect *Journalists* and *Sources*, but no tool can guarantee safety. This guide will instruct you in installing and configuring SecureDrop, but it does not explain how to use it safely and effectively. Put another way: at the end of this guide, you will have built a car; you will not know how to drive. The :ref:`Deployment Guide ` contains best practices for working with SecureDrop. Make sure to read it after completing the installation. Setting up SecureDrop is a multi-step process, where each step builds on the steps that come before it. It's important that you treat the installation as a complete process, making sure not to skip any portions of the install guide or jump ahead to later content. @@ -39,9 +39,9 @@ the computers and services needed for a functional SecureDrop. During this process, you'll set up at least four devices: - *Admin Workstation*: - A laptop running the QubesOS operating system configured as an *Admin Workstation*, that you use to install and administer SecureDrop on the servers via SSH. If necessary (i.e. in a small newsroom), the same *SecureDrop Workstation* used for administration may be used as a *Journalist Workstation* by journalists to decrypt, view, and export submitted documents. For a larger newsroom, you may set up additional *Journalist Workstations* as needed for journalist use. + A laptop running the QubesOS operating system configured as an *Admin Workstation*, that you use to install and administer SecureDrop on the servers via SSH. If necessary (i.e. in a small newsroom), the same *SecureDrop Workstation* used for administration may be used as a *Journalist Workstation* by *Journalists* to decrypt, view, and export submitted documents. For a larger newsroom, you may set up additional *Journalist Workstations* as needed for *Journalist* use. - *Application Server*: - An Ubuntu server running two segmented Tor hidden services. The source connects to the *Source Interface*, a public-facing Tor Onion Service, to send messages and documents to the journalist. The journalist connects to the *Journalist Interface*, an `authenticated Tor Onion Service `__, using SecureDrop Inbox on a *Journalist Workstation* to download encrypted documents and respond to sources. + An Ubuntu server running two segmented Tor hidden services. The *Source* connects to the *Source Interface*, a public-facing Tor *Onion Service*, to send messages and documents to the *Journalist*. The *Journalist* connects to the *Journalist Interface*, an `authenticated Tor *Onion Service* `__, using SecureDrop Inbox on a *Journalist Workstation* to download encrypted documents and respond to *Sources*. - *Monitor Server*: An Ubuntu server that monitors the *Application Server* with `OSSEC `__ and sends email alerts. - Network Firewall @@ -61,7 +61,7 @@ A summary of the major steps is as follow: #. Test the installation. Optionally: -#. Prepare additional *Journalist Workstations* for use by journalists. +#. Prepare additional *Journalist Workstations* for use by *Journalists*. #. Prepare encrypted USB *Export Drives*. Minimum security requirements for a *SecureDrop Workstation* diff --git a/docs/admin/installation/intro_for_admins.rst b/docs/admin/installation/intro_for_admins.rst index 0503cf275..effca959f 100644 --- a/docs/admin/installation/intro_for_admins.rst +++ b/docs/admin/installation/intro_for_admins.rst @@ -3,9 +3,9 @@ Introduction for SecureDrop administrators SecureDrop servers are managed by a systems administrator. -For larger newsrooms, there may be a team of systems admins, but at least one person within the organization will need to serve as the administrator. In some situations, such as smaller news organizations where a journalist has the technical capacity to administer systems, one person can serve as both Journalist and Administrator. When possible, we advise having a dedicated staff member serving the role of SecureDrop Administrator. +For larger newsrooms, there may be a team of systems admins, but at least one person within the organization will need to serve as the administrator. In some situations, such as smaller news organizations where a *Journalist* has the technical capacity to administer systems, one person can serve as both *Journalist* and administrator. When possible, we advise having a dedicated staff member serving the role of SecureDrop administrator. -The admin connects to the *Application* and *Monitor Servers* over `authenticated onion services `__, and manages them using `Ansible `__. +The admin connects to the *Application* and *Monitor Servers* over `authenticated *Onion Services* `__, and manages them using `Ansible `__. If you are considering becoming a SecureDrop administrator, below are some attributes that will be important to have: @@ -43,7 +43,7 @@ As a SecureDrop administrator, it is your responsibility to: * ensure that SecureDrop Workstations are kept up to date * investigate and respond to security incidents * schedule and perform required maintenance tasks, such as operating system upgrades -* ensure that SecureDrop users adhere to the documented processes for checking SecureDrop, communicating with sources, and reviewing documents +* ensure that *Journalists* adhere to the documented processes for checking SecureDrop, communicating with *Sources*, and reviewing documents * verify the integrity of SecureDrop code * avoid the installation of unsupported code or patches * :doc:`decommission SecureDrop after it is no longer in use ` @@ -56,7 +56,7 @@ is offered as open source software, free of charge, and at your own risk. FPF offers :doc:`paid priority support services `. We are happy to provide assistance with installing the system, with training of -administrators and journalists, and with investigation of technical issues +administrators and *Journalists*, and with investigation of technical issues and incidents. .. note:: @@ -95,7 +95,7 @@ Managing users Admins are responsible for managing user credentials and encouraging best practices. (See :ref:`Passphrase Best Practices`.) The admin will also have access to the *Journalist Interface*, via her own username, passphrase, -and two-factor authentication method (using a smartphone application or YubiKey). +and *Two-Factor Authentication* method (using a smartphone application or YubiKey). See :ref:`User Management` for more information on adding and managing users. @@ -184,11 +184,11 @@ Installation support Any organization can install SecureDrop for free and also make modifications because the project is open source. -Because the installation and operation are complex, and because SecureDrop can only be as secure as the operational security practices followed by its users, Freedom of the Press Foundation will also help organizations install SecureDrop and train journalists and administrators. +Because the installation and operation are complex, and because SecureDrop can only be as secure as the operational security practices followed by its users, Freedom of the Press Foundation will also help organizations install SecureDrop and train *Journalists* and administrators. If you would like to work with Freedom of the Press Foundation on your SecureDrop installation, please reach out to us. We do ask news organizations that can afford to pay for installation support, training and maintenance to do so. -As part of `priority support agreements `_ and on a pro-bono basis for smaller news organizations, Freedom of the Press Foundation will visit your offices, help set up SecureDrop and train journalists to use it. (For pro-bono support, we request that our travel costs +As part of `priority support agreements `_ and on a pro-bono basis for smaller news organizations, Freedom of the Press Foundation will visit your offices, help set up SecureDrop and train *Journalists* to use it. (For pro-bono support, we request that our travel costs are covered.) .. include:: ../../includes/provide-feedback.txt diff --git a/docs/admin/installation/passphrases.rst b/docs/admin/installation/passphrases.rst index 06ccaa40f..cc55e226c 100644 --- a/docs/admin/installation/passphrases.rst +++ b/docs/admin/installation/passphrases.rst @@ -1,14 +1,14 @@ Passphrases overview ==================== -Each individual with a role (admin or journalist) at a given SecureDrop instance must generate and retain a number of strong, unique passphrases. The section is an overview of the passphrases, keys, two-factor secrets, and other credentials that are required for each role in a SecureDrop installation. +Each individual with a role (admin or *Journalist*) at a given SecureDrop instance must generate and retain a number of strong, unique passphrases. The section is an overview of the passphrases, keys, two-factor secrets, and other credentials that are required for each role in a SecureDrop installation. -Ideally, each admin and journalist would only have to remember the passphrases to unlock the encrypted storage on their *Journalist Workstation* laptop. +Ideally, each admin and *Journalist* would only have to remember the passphrases to unlock the encrypted storage on their *Journalist Workstation* laptop. -Admin ------ +Admininistrator +--------------- -The admin will be using an *Admin Workstation* configured to connect to the *Application Server* and the *Monitor Server* using Tor and SSH. The tasks performed by the admin will require the following set of credentials and passphrases: +The administrator will be using an *Admin Workstation* configured to connect to the *Application Server* and the *Monitor Server* using Tor and SSH. The tasks performed by the admin will require the following set of credentials and passphrases: - The Qubes full disk encryption (FDE) password of the *Admin Workstation*, required to unlock system storage on boot. - The Qubes system user password for the *Admin Workstation*, required to log in. @@ -23,36 +23,36 @@ The admin will be using an *Admin Workstation* configured to connect to the *App - The admin's personal GPG public key, if you want to potentially encrypt sensitive files to it for further analysis. - The account details for the destination email address for OSSEC alerts. - - The onion services values required to connect to the *Application* and + - The *Onion Services* values required to connect to the *Application* and *Monitor Servers*. -The admin will also need to have a way to generate two-factor authentication codes. +The admin will also need to have a way to generate *Two-Factor Authentication* codes. .. include:: ../../includes/otp-app.txt And the admin will also have the following two credentials: -- The secret code for the *Application Server*'s two-factor authentication. -- The secret code for the *Monitor Server*'s two-factor authentication. +- The secret code for the *Application Server*'s *Two-Factor Authentication*. +- The secret code for the *Monitor Server*'s *Two-Factor Authentication*. -Journalist ----------- +*Journalist* +------------ -The journalist will be using a *Journalist Workstation* to view submissions with SecureDrop Inbox. The tasks performed by the journalist will require the following set of passphrases: +The *Journalist* will be using a *Journalist Workstation* to view submissions with SecureDrop Inbox. The tasks performed by the *Journalist* will require the following set of passphrases: -- The Qubes full disk encryption (FDE) password of the Journalist Workstation they use, required to unlock system storage on boot. -- The Qubes system user password for the Journalist Workstation they use, required to log in. +- The Qubes full disk encryption (FDE) password of the *Journalist Workstation* they use, required to unlock system storage on boot. +- The Qubes system user password for the *Journalist Workstation* they use, required to log in. -The journalist will also need to have a two-factor authenticator, such as an Android or iOS device with FreeOTP installed, or a YubiKey. This means the journalist will also have the following credential: +The *Journalist* will also need to have a two-factor authenticator, such as an Android or iOS device with FreeOTP installed, or a YubiKey. This means the *Journalist* will also have the following credential: -- The secret code for the Journalist's two-factor authentication. +- The secret code for the *Journalist*'s *Two-Factor Authentication*. *Export USB* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We recommend using encrypted USB drives for transferring files off of the *Journalist Workstation*. -For every export operation, the user will need to enter the USB drive's encryption passphrase at least twice (on the computer they're copying from, and on the computer they're copying to). To make it easy for them to find the passphrase, we recommend storing it in the journalist's own existing password manager, which should be accessible using their smartphone. +For every export operation, the user will need to enter the USB drive's encryption passphrase at least twice (on the computer they're copying from, and on the computer they're copying to). To make it easy for them to find the passphrase, we recommend storing it in the *Journalist*'s own existing password manager, which should be accessible using their smartphone. If your organization is not using a password manager already, please see the `Freedom of the Press Foundation guide `__ @@ -63,7 +63,7 @@ to choosing one. Passphrase best practices ------------------------- -All SecureDrop users---Sources, Journalists, and Admins---are required to memorize at least one passphrase. This section describes best practices for passphrase management in the context of SecureDrop. +All SecureDrop users---*Sources*, *Journalists*, and admins---are required to memorize at least one passphrase. This section describes best practices for passphrase management in the context of SecureDrop. #. **Do** memorize your passphrase. diff --git a/docs/admin/installation/prepare_sdw.rst b/docs/admin/installation/prepare_sdw.rst index a4af95bd0..6f36e156f 100644 --- a/docs/admin/installation/prepare_sdw.rst +++ b/docs/admin/installation/prepare_sdw.rst @@ -264,8 +264,8 @@ Install `securedrop-admin` tooling .. _securedrop_workstation_generate_private_key: -Generate submission private key -------------------------------- +Generate *Submission Private Key* +--------------------------------- .. TODO diff --git a/docs/admin/installation/prepare_servers.rst b/docs/admin/installation/prepare_servers.rst index 12172e752..7220b55c5 100644 --- a/docs/admin/installation/prepare_servers.rst +++ b/docs/admin/installation/prepare_servers.rst @@ -236,7 +236,7 @@ devices that are powered down, SecureDrop's servers are designed to be always-on with the exception of a nightly reboot after automatic upgrades are applied. Given this update schedule, with FDE enabled, the servers would become unreachable once every 24 hours until an administrator entered the full-disk encryption -passphrase via the console, and during that time, sources and journalists would +passphrase via the console, and during that time, *Sources* and *Journalists* would be unable to access your instance. The increased responsibility for administrators, as well as the daily downtime diff --git a/docs/admin/installation/test_the_installation.rst b/docs/admin/installation/test_the_installation.rst index e8c63333e..05d7062e4 100644 --- a/docs/admin/installation/test_the_installation.rst +++ b/docs/admin/installation/test_the_installation.rst @@ -66,7 +66,7 @@ Test the web interfaces shortcut. Proceed through the codename generation (copy this down somewhere) and submit a test message or file. - - Usage of the Source Interface is covered by our :doc:`Source User + - Usage of the *Source Interface* is covered by our :doc:`Source User Manual <../../source/source>`. #. Test that you can access the *Journalist Interface*, and that you can log @@ -74,7 +74,7 @@ Test the web interfaces - Open the *Journalist Interface* in Tor Browser by clicking on its desktop shortcut. Enter your passphrase and two-factor code to log in. - - If you have problems logging in to the *Admin/Journalist + - If you have problems logging in to the *Journalist Interface*, SSH to the *Application Server* and restart the time synchronization daemon to synchronize the time: ``sudo systemctl restart systemd-timesyncd``. Also check that your smartphone's @@ -82,12 +82,12 @@ Test the web interfaces #. Test replying to the test submission. - - While logged in as an admin, you can send a reply to the test + - While logged in as an administrator, you can send a reply to the test source submission you made earlier. - Usage of the *Journalist Interface* is covered by our :doc:`Journalist User Manual <../../journalist/journalist>`. -#. Test that the source received the reply. +#. Verify that the test source account received the reply. - Within Tor Browser, navigate back to the *Source Interface* and use your previous test source codename to log in (or reload the @@ -95,7 +95,7 @@ Test the web interfaces is present. #. Remove the test submissions you made prior to putting SecureDrop to - real use. On the main *Journalist Interface* page, select all sources and + real use. On the main *Journalist Interface* page, select all *Sources* and click **Delete selected**. Once you've tested the installation and verified that everything is diff --git a/docs/admin/maintenance/backup_and_restore.rst b/docs/admin/maintenance/backup_and_restore.rst index d32d86d14..c09d613a2 100644 --- a/docs/admin/maintenance/backup_and_restore.rst +++ b/docs/admin/maintenance/backup_and_restore.rst @@ -4,7 +4,7 @@ Backing up and restoring servers Maintaining regular backups helps guard against data loss and hardware failure. Having a recent backup will allow you to redeploy SecureDrop without changing onion URLs, recreating journalist accounts, -or losing previous submissions from sources. +or losing previous submissions from *Sources*. .. note:: Only the *Application Server* is backed up and restored, including historical submissions and both *Source Interface* and *Journalist @@ -17,11 +17,11 @@ Minimizing disk use Since the backup and restore operations both involve transferring *all* of your SecureDrop's stored submissions over Tor, the process can take a long time. -Encouraging journalists to regularly delete older, unneeded submissions from +Encouraging *Journalists* to regularly delete older, unneeded submissions from the *Journalist Interface* will save time and improve reliability when doing backups. -.. tip:: Although it varies, the average throughput of an onion service is +.. tip:: Although it varies, the average throughput of an *Onion Service* is about 3 Mbps, or roughly 90 minutes for 2GB. Plan your backup and restore accordingly. @@ -136,7 +136,7 @@ Make sure to replace ``sd-backup-2020-07-22--01-06-25.tar.gz`` with the filename for your backup archive. This command attempts to restore submissions, source and journalist accounts, -and configuration details for the onion services used by the web interfaces and +and configuration details for the *Onion Services* used by the web interfaces and SSH (if configured). .. _migrating: @@ -326,8 +326,8 @@ the following command: securedrop-admin restore --preserve-tor-config sd-backup-2020-07-22--01-06-25.tar.gz This is a suitable option if you have a backup archive taken from an instance -with v2 onion services, and wish to restore it to an instance that is now using -v3 onion services. +with v2 *Onion Services*, and wish to restore it to an instance that is now using +v3 *Onion Services*. If you require any assistance with migration or data recovery, please `contact Support`_. diff --git a/docs/admin/maintenance/decommission.rst b/docs/admin/maintenance/decommission.rst index 50f1e03a3..23de70231 100644 --- a/docs/admin/maintenance/decommission.rst +++ b/docs/admin/maintenance/decommission.rst @@ -14,7 +14,7 @@ servers and associated hardware: 2. If the server room is covered by CCTV, verify that the footage will be monitored or reviewed periodically. 3. Ask to have adjacent corridors included in any regular security patrols. -4. Ask journalists to purge old submissions, to reduce the impact if the +4. Ask *Journalists* to purge old submissions, to reduce the impact if the servers are compromised (this is good general practice in any case). 5. If your SecureDrop instance is set up to allow SSH-over-LAN admin access, consider switching it to SSH-over-Tor access instead. To do so, you will @@ -25,10 +25,10 @@ during periods of prolonged absence, it may be better to relocate it, or in extreme circumstances, temporarily take it down. If you decide to take down your SecureDrop instance, we recommend the following steps: -1. Consult with journalists using the system, to ensure that any active +1. Consult with *Journalists* using the system, to ensure that any active sources are aware of the situation, and that source conversations can either be paused or continued via other means. -2. Update your SecureDrop landing page (typically a “send us tips” page, +2. Update your SecureDrop *Landing Page* (typically a “send us tips” page, or a page linked from there) to let prospective sources know that the outage is coming, and optionally to redirect them to other contact methods, such as a shared Signal tipline. @@ -55,7 +55,7 @@ Permanently decommissioning SecureDrop The following steps will guide you through the decommissioning of your SecureDrop instance. -#. **Put a notice in advance on your landing page to inform sources that your +#. **Put a notice in advance on your *Landing Page* to inform sources that your instance will soon be retired.** You may want to direct them to other secure methods of contacting you. #. **Locate and create an inventory of all your hardware.** @@ -72,7 +72,7 @@ SecureDrop instance. If you want to save a backup of the *Application Server* (for example, to reinstall SecureDrop in the future using the same `.onion` address), follow our :doc:`backup guidelines `. Once the backup has been created, you can move it onto an encrypted device, such as a LUKS-encrypted - drive. You will also require a backup of the *Submission Key* found on the + drive. You will also require a backup of the *Submission Private Key* found on the *SecureDrop Workstation*. If you do not require a server backup, you may choose to download specific @@ -151,7 +151,7 @@ SecureDrop instance. select "yes." #. **Destroy Export media, if applicable.** #. **Optional: Factory-reset the firewall.** -#. **Update your Landing Page (tips page) to reflect the fact that your organization no longer has SecureDrop.** +#. **Update your *Landing Page* (tips page) to reflect the fact that your organization no longer has SecureDrop.** #. **Notify the SecureDrop Support team that your instance is no longer active.** If you have any questions about the decommissioning process, or about other secure communications options, please feel free to contact us at diff --git a/docs/admin/maintenance/kernel_troubleshooting.rst b/docs/admin/maintenance/kernel_troubleshooting.rst index e0971c2a5..6760fe54d 100644 --- a/docs/admin/maintenance/kernel_troubleshooting.rst +++ b/docs/admin/maintenance/kernel_troubleshooting.rst @@ -14,7 +14,7 @@ First, you need to physically access each server. Power down the server and power the server back up. If you have access to the password for your admin user, you can use it to log into -each server without the use of two-factor authentication, which was disabled +each server without the use of *Two-Factor Authentication*, which was disabled for keyboard logins in SecureDrop 0.8.0. You may have saved the password in the KeePassXC database on your *Admin Workstation*. If you do not have the password, you can boot into single user mode instead. diff --git a/docs/admin/maintenance/logging.rst b/docs/admin/maintenance/logging.rst index cdaac6ac7..cc4cdf9cc 100644 --- a/docs/admin/maintenance/logging.rst +++ b/docs/admin/maintenance/logging.rst @@ -51,7 +51,7 @@ sense to temporarily enable error logging. To do so: LogLevel debug 5. Save the file and reload the configuration with ``sudo systemctl reload apache2`` -6. Visit the Source Interface and reproduce the error +6. Visit the *Source Interface* and reproduce the error 7. Inspect the log file ``/var/log/apache2/source-error.log`` for any details 8. Remember to set the configuration back to the default values once your investigation is complete. diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index 52bcf0827..f8355f2cc 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -268,7 +268,7 @@ using the command: curl http://$(cat /tmp/sourcev3)/metadata Next, note the OSSEC Alerts email address (``OSSEC_EMAIL``) and, if applicable, -the Journalist Alerts email address (``JOURNALIST_EMAIL``): +the journalist alerts email address (``JOURNALIST_EMAIL``): .. code:: sh @@ -283,7 +283,7 @@ appropriate email address for ``alerts@example.com``): ssh mon sudo gpg --homedir=/var/ossec/.gnupg --export --armor alerts@example.com > ossec.pub gpg --import ossec.pub -If a Journalist Alerts address has been configured, repeat this step for the +If a journalist alerts address has been configured, repeat this step for the *Journalist Alert Public Key*, naming it ``journalist.pub`` or similar. You will require the fingerprints for these keys during the next step, which you diff --git a/docs/admin/maintenance/troubleshooting_connection.rst b/docs/admin/maintenance/troubleshooting_connection.rst index 4a2c8e831..41f559315 100644 --- a/docs/admin/maintenance/troubleshooting_connection.rst +++ b/docs/admin/maintenance/troubleshooting_connection.rst @@ -202,7 +202,7 @@ into your servers, you should first perform the following troubleshooting steps: your *Application Server* is online, and you can trigger a :ref:`test OSSEC alert ` to verify your *Monitor Server* is online. -#. **Ensure that SSH aliases and onion service authentication are configured:** +#. **Ensure that SSH aliases and *Onion Service* authentication are configured:** - First, ensure that the correct configuration files are present in ``~/.config/securedrop-admin``: diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index 54fb8302b..97a14b1f5 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -13,7 +13,7 @@ Pre-install tasks: Install tasks: ~~~~~~~~~~~~~~ -#. Copy the submission key +#. Copy the *Submission Key* #. Copy *Journalist Interface* details #. Copy SecureDrop login credentials #. Download and install SecureDrop Workstation @@ -59,13 +59,13 @@ Qubes OS comes with the KeePassXC password manager preinstalled in the ``vault`` Configure SecureDrop Workstation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct *Journalist Interface* details and submission private key from your Tails-based *Secure Viewing Station* and *Journalist Workstation* USB drives. +Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct *Journalist Interface* details and *Submission Private Key* from your Tails-based *Secure Viewing Station* and *Journalist Workstation* USB drives. Import *Submission Private Key* ------------------------------- In order to decrypt submissions, you will need a copy of the -`Submission Private Key `_ +`*Submission Private Key* `_ from your SecureDrop instance's Secure Viewing Station. To protect this key and preserve the air gap, you will need to connect the SVS USB to a Qubes VM with no network access, and copy it from there to ``dom0``. You cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below: @@ -86,18 +86,18 @@ To protect this key and preserve the air gap, you will need to connect the SVS U |Unlock TailsData| -- Open a ``dom0`` terminal via |qubes_menu| **▸** |qubes_menu_gear| **▸ Other ▸ Xfce Terminal**. Once the terminal window opens, run the following command to import the submission key: +- Open a ``dom0`` terminal via |qubes_menu| **▸** |qubes_menu_gear| **▸ Other ▸ Xfce Terminal**. Once the terminal window opens, run the following command to import the *Submission Private Key*: .. code-block:: sh sdw-admin --configure - Follow the command prompts to complete submission key import. + Follow the command prompts to complete *Submission Private Key* import. .. note:: - If there are multiple keys present on the device, ``sdw-admin --configure`` will print the fingerprints of those keys for you to select which to use as the submission private key. You can open ``.onion/metadata`` in Tor Browser on another network-connected computer to check the correct key fingerprint used by your SecureDrop instance. + If there are multiple keys present on the device, ``sdw-admin --configure`` will print the fingerprints of those keys for you to select which to use as the *Submission Private Key*. You can open ``.onion/metadata`` in Tor Browser on another network-connected computer to check the correct key fingerprint used by your SecureDrop instance. -- Once the submission key import is complete, in the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the SVS USB. +- Once the *Submission Private Key* import is complete, in the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the SVS USB. - If you were prompted for a passphrase during import, you will now need to remove the passphrase on ``sd-journalist.sec``. See :doc:`/admin/migration/removing_gpg_passphrase`. @@ -113,7 +113,7 @@ Import *Journalist Interface* details SecureDrop Workstation connects to your SecureDrop instance's API via the *Journalist Interface*. In order to do so, it will need the *Journalist Interface* address and authentication info. As the clipboard from another VM cannot be copied into ``dom0`` directly, follow these steps to copy the file into place: -- Locate a Tails-based *Admin Workstation* or *Journalist Workstation* USB drive. Both hold the address and authentication info for the *Journalist Interface*; if you also want to copy the journalist user's password database, use the *Journalist Workstation* USB drive. +- Locate a Tails-based *Admin Workstation* or *Journalist Workstation* USB drive. Both hold the address and authentication info for the *Journalist Interface*; if you also want to copy the *Journalist*'s password database, use the *Journalist Workstation* USB drive. - Connect the USB drive to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be 3 listings for the USB in the widget: one for the base USB, one for the Tails partition on the USB, labeled ``Tails``, and a 3rd unlabeled listing, for the persistent volume. Choose the third listing. @@ -132,7 +132,7 @@ SecureDrop Workstation connects to your SecureDrop instance's API via the *Journ Copy SecureDrop login credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -When launching SecureDrop Inbox must enter their username, passphrase and two-factor code to connect with the SecureDrop server. You can manage these passphrases using the KeePassXC password manager in the ``vault`` VM. If this laptop will be used by more than one journalist, we recommend that you shut down the ``vault`` VM now (using the Qube widget in the upper right panel), skip this section, and use a smartphone password manager instead. +When launching SecureDrop Inbox must enter their username, passphrase and two-factor code to connect with the SecureDrop server. You can manage these passphrases using the KeePassXC password manager in the ``vault`` VM. If this laptop will be used by more than one *Journalist*, we recommend that you shut down the ``vault`` VM now (using the Qube widget in the upper right panel), skip this section, and use a smartphone password manager instead. In order to set up KeePassXC for easy use: @@ -144,9 +144,9 @@ In order to set up KeePassXC for easy use: .. important:: - The password database from the Tails-based *Admin Workstation* contains sensitive credentials not required by journalist users. Make sure to copy the credentials from the Tails-based *Journalist Workstation* USB. + The password database from the Tails-based *Admin Workstation* contains sensitive credentials not required by *Journalists*. Make sure to copy the credentials from the Tails-based *Journalist Workstation* USB. -In order to copy a journalist's login credentials: +In order to copy a *Journalist*'s login credentials: - If a Tails-based *Journalist Workstation* USB is not currently attached, connect it, attach it to the ``vault`` VM, open it in the file manager, and enter its encryption passphrase. @@ -162,7 +162,7 @@ In order to copy a journalist's login credentials: - If the database is passwordless, KeePassXC may display a security warning when opening it. To preserve convenient passwordless access, you can protect the database using a key file, via **Database ▸ Database settings ▸ Security ▸ Add additional protection ▸ Add Key File ▸ Generate**. This key file has to be selected when you open the database, but KeePassXC will remember the last selection. -- Inspect each section of the password database to ensure that it contains only the information required by the journalist user to log in. +- Inspect each section of the password database to ensure that it contains only the information required by the *Journalist* to log in. - Close the application window and shut down the ``vault`` VM (using the Qube widget in the upper right panel). At this time, you can also re-enable the network connection using the network manager widget. @@ -172,9 +172,9 @@ Manually importing from Tails USB drives Manually import *Submission Private Key* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -If importing the submission key using ``sdw-admin --configure`` fails, you can also copy the submission key manually. +If importing the *Submission Private Key* using ``sdw-admin --configure`` fails, you can also copy the *Submission Private Key* manually. -- Open a ``dom0`` terminal via |qubes_menu| **▸** |qubes_menu_gear| **▸ Other Tools ▸ Xfce Terminal**. Once the terminal window opens, run the following command to list the SVS submission key details, including its fingerprint: +- Open a ``dom0`` terminal via |qubes_menu| **▸** |qubes_menu_gear| **▸ Other Tools ▸ Xfce Terminal**. Once the terminal window opens, run the following command to list the *Submission Private Key* details, including its fingerprint: .. code-block:: sh @@ -189,7 +189,7 @@ If importing the submission key using ``sdw-admin --configure`` fails, you can "gpg --homedir /run/media/user/TailsData/gnupg --export-secret-keys --armor " \ > /tmp/sd-journalist.sec - where ```` is the submission key fingerprint, typed as a single unit without whitespace. This will copy the submission key in ASCII format to a temporary file in dom0, ``/tmp/sd-journalist.sec``. + where ```` is the *Submission Private Key* fingerprint, typed as a single unit without whitespace. This will copy the *Submission Private Key* in ASCII format to a temporary file in dom0, ``/tmp/sd-journalist.sec``. - Verify the that the file starts with ``-----BEGIN PGP PRIVATE KEY BLOCK-----`` using the command: @@ -207,7 +207,7 @@ If importing the submission key using ``sdw-admin --configure`` fails, you can - You can run ``sdw-admin --configure`` to now import the *Journalist Interface* details and complete configuration. - Alternatively, follow the steps below to do so manually. Once both Submission Key and *Journalist Interface* details are imported, proceed with :ref:`configuring the workstation`. + Alternatively, follow the steps below to do so manually. Once both *Submission Private Key* and *Journalist Interface* details are imported, proceed with :ref:`configuring the workstation`. .. _manual_copy_journalist: @@ -241,9 +241,9 @@ If you encounter a validation error due to a password-protected GPG key, see :do .. _manual_configure: -Once the *Journalist Interface* details and submission key have been copied to ``dom0``, you can create the configuration for the SecureDrop Workstation. +Once the *Journalist Interface* details and *Submission Private Key* have been copied to ``dom0``, you can create the configuration for the SecureDrop Workstation. -- Your submission key has a unique fingerprint required for the configuration. Obtain the fingerprint by using this command: +- Your *Submission Private Key* has a unique fingerprint required for the configuration. Obtain the fingerprint by using this command: .. code-block:: sh @@ -260,9 +260,9 @@ Once the *Journalist Interface* details and submission key have been copied to ` - The ``config.json`` file must be updated with the correct values for your instance. Open it with root privileges in a text editor such as ``vi`` or ``nano`` and update the following fields' values: - - **submission_key_fpr**: use the value of the submission key fingerprint as displayed above + - **submission_key_fpr**: use the value of the *Submission Private Key* fingerprint as displayed above - **hidserv.hostname**: use the hostname of the *Journalist Interface*, including the ``.onion`` TLD - - **hidserv.key**: use the private v3 onion service authorization key value + - **hidserv.key**: use the private v3 *Onion Service* authorization key value - **environment**: use the value ``prod`` .. note:: diff --git a/docs/admin/reference/admin_interface.rst b/docs/admin/reference/admin_interface.rst index 6a2ca0ea3..a8fa22e21 100644 --- a/docs/admin/reference/admin_interface.rst +++ b/docs/admin/reference/admin_interface.rst @@ -12,18 +12,17 @@ To log in to the *Admin Interface*, start the *Admin Workstation* with persistence enabled. Open the *SecureDrop Menu* and select the "Launch Journalist Interface" option. Tor Browser will start and load the login page for the *Journalist Interface*. Use your username, passphrase, and -two-factor authentication token to log in. +*Two-Factor Authentication* token to log in. By default, you will be logged in to the *Journalist Interface*'s source list page. |SecureDrop main page| -In the course of normal administration operations you should not need to view source -communications, but if you do, you can find information on managing submissions in +In the course of normal administration operations you should not need to view messages from *Sources*, but if you do, you can find information on managing submissions in the :doc:`journalist guide <../../journalist/journalist>`. .. note:: - If you have lost your login information or your two-factor authentication is no longer + If you have lost your login information or your *Two-Factor Authentication* is no longer valid, you can create another account with admin privileges via the command line on the *Application Server*. See :ref:`here ` for more information. @@ -41,12 +40,12 @@ upper right corner of the *Journalist Interface*. Adding users ------------ -After logging in, you can add new user accounts for the journalists at your organization -who will be checking the system for submissions. Make sure the journalist is +After logging in, you can add new user accounts for the *Journalists* at your organization +who will be checking the system for submissions. Make sure the *Journalist* is physically in the same room as you when you do this, as they will have to be present -to enable two-factor authentication. SecureDrop supports the use of either a -smartphone authenticator app or a Yubikey for two-factor authentication. If an -app is to be used, the journalist should install it before proceeding with the +to enable *Two-Factor Authentication*. SecureDrop supports the use of either a +smartphone authenticator app or a Yubikey for *Two-Factor Authentication*. If an +app is to be used, the *Journalist* should install it before proceeding with the account setup. .. include:: ../../includes/otp-app.txt @@ -59,10 +58,10 @@ account setup. |Add a new user| -#. Hand the keyboard over to the journalist so they can create their own username. +#. Hand the keyboard over to the *Journalist* so they can create their own username. #. Once they're done entering a username for themselves, have them save their pre-generated Diceware passphrase to their password manager. #. If the new account should also have admin privileges, allowing them to add or delete other journalist accounts, select **Is Admin**. -#. Finally, set up two-factor authentication for the account, following one of the two procedures below for your chosen method. +#. Finally, set up *Two-Factor Authentication* for the account, following one of the two procedures below for your chosen method. .. note:: The username **deleted** is reserved, as it is used to mark accounts which @@ -76,15 +75,15 @@ account setup. FreeOTP ~~~~~~~ -#. If the journalist is using FreeOTP or another app for two-factor authentication, click **Add User** to proceed to the next page. +#. If the *Journalist* is using FreeOTP or another app for *Two-Factor Authentication*, click **Add User** to proceed to the next page. |Enable FreeOTP| -#. Next, the journalist should open FreeOTP on their smartphone and scan the barcode displayed on the screen. +#. Next, the *Journalist* should open FreeOTP on their smartphone and scan the barcode displayed on the screen. #. If they have difficulty scanning the barcode, they can tap on the icon at the top that shows a plus and the symbol of a key and use their phone's keyboard to input the two-factor secret into the ``Secret`` input field, without whitespace. -#. Inside the FreeOTP app, a new entry for this account will appear on the main screen, with a six-digit number that recycles to a new number every thirty seconds. The journalist should enter the six-digit number in the **Verification code** field at the bottom of the **Enable FreeOTP** form and click **Submit**. +#. Inside the FreeOTP app, a new entry for this account will appear on the main screen, with a six-digit number that recycles to a new number every thirty seconds. The *Journalist* should enter the six-digit number in the **Verification code** field at the bottom of the **Enable FreeOTP** form and click **Submit**. -If two-factor authentication was set up successfully, you will be redirected back +If *Two-Factor Authentication* was set up successfully, you will be redirected back to the *Admin Interface* and will see a confirmation that the two-factor code was verified. @@ -96,20 +95,20 @@ verified. YubiKey ~~~~~~~ -#. If the journalist wishes to use a YubiKey for two-factor authentication, select **Is using a YubiKey**. You will then need to enter their YubiKey's OATH-HOTP Secret Key. For more information on how to retrieve this key, read the :doc:`YubiKey Setup Guide <../deployment/yubikey_setup>`. +#. If the *Journalist* wishes to use a YubiKey for *Two-Factor Authentication*, select **Is using a YubiKey**. You will then need to enter their YubiKey's OATH-HOTP Secret Key. For more information on how to retrieve this key, read the :doc:`YubiKey Setup Guide <../deployment/yubikey_setup>`. |Enable YubiKey| -#. Once you've entered the Yubikey's OATH-HOTP Secret Key, click **Add User**. On the next page, have the journalist authenticate using their YubiKey, by inserting it into a USB port on the workstation and pressing its button. +#. Once you've entered the Yubikey's OATH-HOTP Secret Key, click **Add User**. On the next page, have the *Journalist* authenticate using their YubiKey, by inserting it into a USB port on the workstation and pressing its button. |Verify YubiKey| #. If everything was set up correctly, you will be redirected back to the *Admin Interface*, where you should see a flashed message that says "The two-factor code for user *new username* was verified successfully.". -The journalist will require their username, passphrase, and two-factor authentication +The *Journalist* will require their username, passphrase, and *Two-Factor Authentication* method whenever they check SecureDrop. Make sure that they have memorised their username and passphrase, or stored them in their password manager, and that they -can keep their two-factor authentication device secure. +can keep their *Two-Factor Authentication* device secure. .. |Enable YubiKey| image:: ../../images/manual/screenshots/journalist-admin_add_user_hotp.png :alt: The form used to create new users, filled with the 40-character HOTP secret key of a Yubikey. @@ -118,18 +117,18 @@ can keep their two-factor authentication device secure. .. _Passphrases_and_two-factor_resets: -Passphrases and two-factor resets ---------------------------------- +Passphrases and *Two-Factor Authentication* resets +-------------------------------------------------- .. warning:: Both of these operations will lock a user out of their SecureDrop account. Users should be physically present when their passphrase - or two-factor authentication method is reset. If this is not possible, store - the passphrase and/or two-factor authentication secret in your own password + or *Two-Factor Authentication* method is reset. If this is not possible, store + the passphrase and/or *Two-Factor Authentication* secret in your own password manager before securely transmitting them to the user in question, and delete them once the user has confirmed they can successfully log in. Even while following :ref:`passphrase best practices `, -your journalists may occasionally lock themselves out of their accounts. This +your *Journalists* may occasionally lock themselves out of their accounts. This can happen if, for example, they lose their two-factor device or if they forget the passphrase to their password manager. When this happens, you can reset their account as follows: @@ -140,23 +139,23 @@ can reset their account as follows: |Reset Passphrase| -Next, you can either rotate their passphrase or reset two-factor authentication +Next, you can either rotate their passphrase or reset *Two-Factor Authentication* for their account. To change their passphrase to the randomly-generated passphrase shown: - #. Have the journalist enter their current passphrase and two-factor code. + #. Have the *Journalist* enter their current passphrase and two-factor code. #. Make sure the new passphrase is saved in a password manager. #. Click **Reset Password** -To reset two-factor authentication: +To reset *Two-Factor Authentication*: - #. Click the button that corresponds to the user's chosen two-factor authentication method: + #. Click the button that corresponds to the user's chosen *Two-Factor Authentication* method: * Click **Reset Mobile App Credentials** for accounts using FreeOTP or a similar authentication app * Click **Reset Security Key Credentials** for accounts using a Yubikey - #. Follow the on-screen instructions to complete the process and verify their new two-factor authentication credentials. + #. Follow the on-screen instructions to complete the process and verify their new *Two-Factor Authentication* credentials. Off-boarding users @@ -243,33 +242,33 @@ Preventing short initial messages By default, SecureDrop does not apply a minimum length requirement to messages. If your instance is experiencing a high volume of short one-time messages with no actionable -content, or if you would like to indicate to sources that their initial message -should include enough information for journalists to respond to them effectively, you +content, or if you would like to indicate to *Sources* that their initial message +should include enough information for *Journalists* to respond to them effectively, you can set an initial message length as follows: #. Check the **Prevent sources from sending initial messages shorter than the minimum required length** checkbox #. Enter the desired minimum length in the field below the checkbox #. Click **Update Submission Preferences** -This change will be applied immediately on the Source Interface. Initial messages that -are too short will be rejected, with an error message informing sources of the +This change will be applied immediately on the *Source Interface*. Initial messages that +are too short will be rejected, with an error message informing *Sources* of the requirement. This requirement will not be applied to initial messages that also include a document, or to subsequent messages in the conversation. To remove the requirement, uncheck the checkbox and click **Update Submission Preferences**. -Preventing initial messages containing the source's codename ------------------------------------------------------------- +Preventing initial messages containing the *Source*'s codename +-------------------------------------------------------------- -Sources should never need to share their seven-word codename with journalists. If -your instance is receiving one-time messages consisting of the source's codename, +*Sources* should never need to share their seven-word codename with *Journalists*. If +your instance is receiving one-time messages consisting of the *Source*'s codename, you can optionally reject those messages, before they are stored, as follows: #. Check the **Prevent sources from submitting their codename as an initial message** checkbox #. Click **Update Submission Preferences** -This change will be applied immediately on the Source Interface. Initial messages that -contain the source's codename will be rejected, with an error message reminding sources +This change will be applied immediately on the *Source Interface*. Initial messages that +contain the *Source*'s codename will be rejected, with an error message reminding *Sources* to protect their codename and keep it secret. To remove this restriction, uncheck the checkbox and click **Update Submission Preferences**. diff --git a/docs/admin/reference/offboarding.rst b/docs/admin/reference/offboarding.rst index 8c28d88af..3cf4a3d09 100644 --- a/docs/admin/reference/offboarding.rst +++ b/docs/admin/reference/offboarding.rst @@ -1,7 +1,7 @@ -Off-board administrators and journalists -======================================== +Off-board administrators and *Journalists* +========================================== -When journalists and SecureDrop administrators leave your organization, it is +When *Journalists* and SecureDrop administrators leave your organization, it is important to off-board them from SecureDrop. .. important:: Additional measures may need to be taken if the @@ -23,9 +23,8 @@ Off-boarding checklist notifications), either directly or as a member of an email alias, remove them from those alerts and :ref:`set up someone new ` to receive those alerts. -- (Circumstance-dependent) If you have specific concerns that the *Submission - Key* has been compromised, you should consider a full reinstall of - SecureDrop. At minimum, you should :ref:`rotate the Submission Key +- (Circumstance-dependent) If you have specific concerns that the *Submission Private Key* has been compromised, you should consider a full reinstall of + SecureDrop. At minimum, you should :ref:`rotate the *Submission Key* `. Additional steps for off-boarding administrators @@ -181,14 +180,14 @@ On the *Secure Viewing Station* gpg --list-keys - In the output, locate the Retired SecureDrop Submission Key. It should + In the output, locate the "Old SecureDrop Submission Key". It should look similar to this: .. code:: text pub rsa4096/0x1CB396626CA370AB 2022-08-16 [SC] Key fingerprint = 6A7F 116B 3C22 4F36 7275 236A 1CB3 9662 6CA3 70AB - uid [ultimate] OLD SecureDrop Submission Key (Retired 2022-08-16) + uid [ultimate] Old SecureDrop Submission Key (Retired 2022-08-16) uid [ultimate] SecureDrop (SecureDrop Submission Key) sub rsa4096/0x228C92459E3D16DE 2022-08-16 [E] @@ -235,8 +234,7 @@ On the *Secure Viewing Station* |revoked| #. Now :doc:`follow the instructions <../installation/generate_submission_key>` - to create a PGP key on the *Secure Viewing Station*. This will be your new - *Submission Key.* Copy the fingerprint and new *Submission Public Key* to + to create a new *Submission Key.* Copy the fingerprint and new *Submission Public Key* to your *Transfer Device*. .. |select securedrop key| image:: ../../images/offboard/key_list.png diff --git a/docs/admin/reference/ossec_alerts.rst b/docs/admin/reference/ossec_alerts.rst index 608833eea..d768cda46 100644 --- a/docs/admin/reference/ossec_alerts.rst +++ b/docs/admin/reference/ossec_alerts.rst @@ -63,7 +63,7 @@ Surprising changes to configuration files, or new or changed files unrelated to the daily updates, may warrant further investigation. Occasionally your SecureDrop Servers will send an alert for failing to connect -to Tor relays. Since SecureDrop runs as a Tor Onion Service, it is possible +to Tor relays. Since SecureDrop runs as a Tor *Onion Service*, it is possible for Tor connections to timeout or become overloaded. :: Received From: (app) diff --git a/docs/admin/reference/securedrop_admin.rst b/docs/admin/reference/securedrop_admin.rst index 5a1b75113..ec6eb10d4 100644 --- a/docs/admin/reference/securedrop_admin.rst +++ b/docs/admin/reference/securedrop_admin.rst @@ -71,8 +71,8 @@ https://github.com/freedomofpress/securedrop/blob/develop/securedrop/i18n.rst At any time during and after initial setup, you can choose from a list of supported languages to display using the codes shown in parentheses. -.. note:: With a *Source Interface* displayed in French (for example), sources - submitting documents are likely to expect a journalist fluent in +.. note:: With a *Source Interface* displayed in French (for example), *Sources* + submitting documents are likely to expect a Journalist fluent in French to be available to read the documents and follow up in that language. @@ -117,7 +117,7 @@ Configuration information is stored on the *Admin Workstation* under * The *Submission Public Key* and *OSSEC Alert Public Key* should be present under ``~/.config/securedrop-admin``. If these keys are rotated, the public keys should be updated on other *Admin Workstations*. -* Onion service information is stored in several files: +* *Onion Service* information is stored in several files: .. code-block:: none @@ -127,6 +127,6 @@ Configuration information is stored on the *Admin Workstation* under ~/.config/securedrop-admin/app-sourcev3-ths ~/.config/securedrop-admin/tor_v3_keys.json - If onion service addresses are changed, the files listed above should be shared + If *Onion Service* addresses are changed, the files listed above should be shared securely with other administrators - preferably in person using an encrypted transfer USB, as they can be used to access the servers directly via SSH over Tor. diff --git a/docs/admin/reference/ssh_access.rst b/docs/admin/reference/ssh_access.rst index 31b5e982b..bf881a945 100644 --- a/docs/admin/reference/ssh_access.rst +++ b/docs/admin/reference/ssh_access.rst @@ -120,8 +120,8 @@ Adding users (CLI) ^^^^^^^^^^^^^^^^^^ After the provisioning of the first admin account, we recommend -using the Admin Interface web application for adding additional journalists -and admins. +using the Admin Interface web application for adding additional journalist +and admin accounts. However, you can also add users via ``./manage.py`` in ``/var/www/securedrop/`` as described :doc:`during first install <../installation/create_admin_account>`. diff --git a/docs/admin/workstation_reference/managing_clipboard.rst b/docs/admin/workstation_reference/managing_clipboard.rst index 1244001c9..d321c6043 100644 --- a/docs/admin/workstation_reference/managing_clipboard.rst +++ b/docs/admin/workstation_reference/managing_clipboard.rst @@ -8,13 +8,13 @@ In addition, Qubes supports copying information *between* VMs. This is done by u As an administrator, you should be aware of the following risks related to clipboard access before changing the default configuration: 1. It is dangerous to copy untrusted, unsanitized content *into* a secure environment. What looks like plain text may contain character sequences that exploit security vulnerabilities in the target environment. -2. The four-step process described above can be difficult to follow, and it is easy to make an operational mistake, such as pasting a password into a message to a source, or into a window belonging to a VM with network access. +2. The four-step process described above can be difficult to follow, and it is easy to make an operational mistake, such as pasting a password into a message to a *Source*, or into a window belonging to a VM with network access. 3. Like any other part of the operating system, the implementation of Qubes clipboard itself may contain undiscovered security vulnerabilities that an adversary could exploit in an attempt to exfiltrate information. With these considerations in mind, there are use cases where clipboard access may be an important part of your regular use of SecureDrop Workstation. For example: - You may want to copy passwords from a password manager to log into SecureDrop Inbox; -- You may want to copy a message you received via SecureDrop into a secure messaging app like Signal, to share it with another journalist. +- You may want to copy a message you received via SecureDrop into a secure messaging app like Signal, to share it with another *Journalist*. To support these use cases, Qubes OS allows you to grant granular access to the ``sd-app`` clipboard (via the cross-VM clipboard) to selected VMs. diff --git a/docs/admin/workstation_reference/reviewing_logs.rst b/docs/admin/workstation_reference/reviewing_logs.rst index 0716d0e3b..e45bc8e07 100644 --- a/docs/admin/workstation_reference/reviewing_logs.rst +++ b/docs/admin/workstation_reference/reviewing_logs.rst @@ -5,7 +5,7 @@ The *Journalist Workstation* aggregates system logs from all its VMs in the ``sd Please note that while the logs do not include original filenames or message contents, they do contain sensitive information, e.g.: - timing and usage information related to SecureDrop access -- the two-word designation for a given source +- the two-word designation for a given *Source* - metadata about submissions and replies - error messages that disclose further details diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index 33668a982..409dd95e9 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -11,9 +11,9 @@ The list below attempts to enumerate and define these terms. Application Server ------------------ The *Application Server* runs the SecureDrop server application. This server hosts both -the website that sources access (the *Source Interface*) and the website that -journalists access (the *Journalist Interface*). Both are published -through an *onion service* because sources, journalists, and admins +the website that *Sources* access (the *Source Interface*) and the website that +*Journalists* access (the *Journalist Interface*). Both are published +through an *Onion Service* because *Sources*, *Journalists*, and admins may only connect to this server using Tor. @@ -34,8 +34,8 @@ Instructions for using SecureDrop as a *Journalist* are available in our Journalist Alert Public Key --------------------------- The *Journalist Alert Public Key* is used for encrypting the daily alert -that notifies journalists via encrypted email about whether or not there has been -submission activity in the past 24 hours. The journalist uses an associated +that notifies *Journalists* via encrypted email about whether or not there has been +submission activity in the past 24 hours. The *Journalist* uses an associated private key to decrypt the alerts. .. _glossary_landing_page: @@ -44,7 +44,7 @@ Landing Page ------------ The *Landing Page* is the public-facing webpage for a SecureDrop instance. This page is hosted as a standard (i.e. non-Tor) webpage on the news organization's -site. It provides first instructions for potential sources and includes +site. It provides first instructions for potential *Sources* and includes the instance's :ref:`Source Interface ` address. @@ -60,30 +60,30 @@ to this server, and they may only do so using Tor. Onion Service ------------- -Tor onion services provide anonymous inbound connections to websites and other +Tor *Onion Services* provide anonymous inbound connections to websites and other servers exclusively over the Tor network. For example, SecureDrop uses onion services for the *Journalist Interface* and *Source Interface* websites, as well as for administrative access to the servers in SSH-over-Tor mode. -Onion services can be accessed by clicking a link or pasting the onion service +*Onion Services* can be accessed by clicking a link or pasting the *Onion Service* address into Tor Browser. For example, ``sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion`` is the onion service address for the SecureDrop website. -Read more about `onion services in Tor's glossary +Read more about `*Onion Services* in Tor's glossary `__. Onion Service versions """""""""""""""""""""" -Distinguishing between different generations of onion services is easy: +Distinguishing between different generations of *Onion Services* is easy: v3 addresses are longer (56 characters) than v2 addresses (16 characters). -The third generation of onion services (v3) provides stronger cryptographic -algorithms than v2 onion services, and includes redesigned protocols that +The third generation of *Onion Services* (v3) provides stronger cryptographic +algorithms than v2 *Onion Services*, and includes redesigned protocols that guard against service information leaks on the Tor network. -Only v3 onion services are supported by SecureDrop. +Only v3 *Onion Services* are supported by SecureDrop. OSSEC Alert Public Key ---------------------- @@ -105,7 +105,7 @@ Instructions for using SecureDrop as a *Source* are available in our Source Interface ---------------- The *Source Interface* is the website that sources will access to -submit documents and communicate with journalists. This site is +submit documents and communicate with *Journalists*. This site is hosted on the *Application Server* and can only be accessed through Tor. Instructions for using the *Source Interface* are available in our :doc:`Source Guide diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index 04c7ef12b..907a9d12e 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -9,7 +9,7 @@ SecureDrop architecture area for clarity. There are certain attacks that cannot be mitigated by any of the technical or operational countermeasures built into SecureDrop. Attacks of a political nature -— for example, if a source, journalist, or organization is threatened with legal +— for example, if a *Source*, *Journalist*, or organization is threatened with legal action — are context-dependent, and determined by an ever-shifting climate around press freedoms. While these attack vectors are out of the scope of this document, they should be factored in to any organization's threat model with @@ -28,7 +28,7 @@ Countermeasures on the application code — SecureDrop repository/release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Code (git tags) and releases (packages uploaded to apt) are signed with the airgapped signing key - Protection is placed on `main` and `develop` branch on GitHub -- For SecureDrop Developers, two-factor authentication is mandated on GitHub +- For SecureDrop Developers, *Two-Factor Authentication* is mandated on GitHub - Community trust is built through 3 trusted code owners and code reviews Application code — *Source Interface* and *Journalist Interface* @@ -53,13 +53,13 @@ Attacks to the application code — *Source Interface* and *Journalist Interface Countermeasures on both *Source* and *Journalist Interfaces* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- *Interfaces* run on an end-to-end encrypted Tor Onion Service +- *Interfaces* run on an end-to-end encrypted Tor *Onion Service* - Sensitive source and submission data is sent through HTTP POST - All source submissions are encrypted with GPG at rest using the airgapped *Submission Key* - *Interface* sessions are invalidated after a user logs out or inactivity over 120 minutes - Session control on *Interface* includes CSRF token in Flask Framework - All *Interface* session data (except language and locale selection) is discarded at logout, and fully deleted upon exiting Tor Browser -- A number of mitigations are in place as protection against malicious input vulnerabilities on the Source and Journalist Interfaces: +- A number of mitigations are in place as protection against malicious input vulnerabilities on the *Source* and *Journalist Interfaces*: - X-XSS-PROTECTION is enabled - Content-Security-Policy is set to "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';" @@ -87,15 +87,15 @@ Countermeasures unique to *Source Interface* Countermeasures unique to *Journalist Interface* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- *Journalist Interface* is located behind an authenticated Onion Service and only privileged users have required authorization token +- *Journalist Interface* is located behind an authenticated *Onion Service* and only privileged users have required authorization token - Only HTTP GET, POST, HEAD and DELETE methods are allowed - A number of mitigations are in place as protection against access control vulnerabilities on the *Journalist Interface*: - Apache autoindex module is disabled - - Journalist/Admin passphrases are long and automatically generated + - *Journalist*/administrator passphrases are long and automatically generated - Passphrases are stored in a database hashed with a unique salt - Account generation/revocation/reset is restricted to Admin role - - Two-factor authentication is required (via a TOTP app, or an HOTP + - *Two-Factor Authentication* is required (via a TOTP app, or an HOTP device like a YubiKey) *Application Server* and *Monitor Server* @@ -116,7 +116,7 @@ Countermeasures on both *Application* and *Monitor Servers* - All SecureDrop infrastructure is provisioned via infrastructure-as-code (Ansible scripts) - A cron job ensures that automatic nightly security updates are applied for OS packages - *Journalist Interface* uses ATHS cookie -- *Monitor Server* should only expose SSH via Tor Onion Service. All other traffic should be blocked by firewall +- *Monitor Server* should only expose SSH via Tor *Onion Service*. All other traffic should be blocked by firewall Countermeasures unique to *Application Server* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -133,9 +133,9 @@ SecureDrop dependencies — Python, Tor, Linux Kernel, apt, Qubes, Ubuntu, or ha Attacks on SecureDrop dependencies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Known vulnerabilities in Python or libraries used by SecureDrop -- Known vulnerabilities in Tor (incl. Onion Service cryptography, authentication) +- Known vulnerabilities in Tor (incl. *Onion Service* cryptography, authentication) - Malicious apt package installed at install-time or during updates -- Known weakness in Onion Service cryptography +- Known weakness in *Onion Service* cryptography - GitHub is compromised - Firewall is not up-to-date - Qubes ISO malicious @@ -155,7 +155,7 @@ Countermeasures against vulnerabilities in Tor - A cron job ensures that automatic nightly security updates are applied for OS packages, including Tor - Grsecurity/PaX linux patches prevent the exploitation of certain memory-corruption attacks - AppArmor profiles further reduce process capabilities through Mandatory Access Control -- Onion service authentication is used as a complementary authentication and only used for defense-in-depth/attack surface reduction +- *Onion Service* authentication is used as a complementary authentication and only used for defense-in-depth/attack surface reduction Countermeasures against malicious apt installs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -170,28 +170,28 @@ Countermeasures against vulnerabilities in the hardware firewall - SecureDrop :doc:`Admin Guide ` informs administrators to update the hardware firewall and provides a very restrictive policy for accessing the administrative interface (blocked on app and mon ports of the firewall). - Alert emails are sent out to admins when there are critical pfSense vulnerabilities. - *Application* and *Monitor Servers* use IPTables as host-based firewall for defense-in-depth -- All application traffic is over Tor onion services (end-to-end encrypted) and all software packages are signed. Only DNS and NTP are transmitted over HTTP (unauthenticated and in cleartext) +- All application traffic is over Tor *Onion Services* (end-to-end encrypted) and all software packages are signed. Only DNS and NTP are transmitted over HTTP (unauthenticated and in cleartext) Network Infrastructure — FPF Infrastructure or Organization Corporate Network ----------------------------------------------------------------------------- Attacks on network infrastructure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Landing Page source control is compromised -- Landing Page host is compromised -- Landing Page is framed or unavailable -- Landing Page DNS leaks from SecureDrop/leaks-related subdomain +- *Landing Page* source control is compromised +- *Landing Page* host is compromised +- *Landing Page* is framed or unavailable +- *Landing Page* DNS leaks from SecureDrop/leaks-related subdomain - Communications vulnerability in *Source* or *Journalist Interface* -- DNS requests to news organization's subdomain for SecureDrop Landing Page, +- DNS requests to news organization's subdomain for SecureDrop *Landing Page*, Freedom.press, torproject.org Tor activity, SD submissions may be correlated - SecureDrop.org is compromised -- User web traffic to SecureDrop Landing Page uses CDN and may be logged +- User web traffic to SecureDrop *Landing Page* uses CDN and may be logged - Tor network exploit - apt server man-in-the-middle used to serve old or malicious packages - SecureDrop apt servers are compromised, or apt server man-in-the middle attack injects malicious packages - News Organization network is compromised -- OSSEC and/or Journalist alert SMTP account credentials compromised -- OSSEC and/or Journalist alert private key compromised +- OSSEC and/or journalist alert SMTP account credentials compromised +- OSSEC and/or journalist alert private key compromised - SMTP relay compromised - Admin's network is monitored @@ -207,30 +207,30 @@ Countermeasures in news organization corporate network ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - SecureDrop environment should be strictly segregated from corporate environment - Most SecureDrop traffic goes over Tor and as such is encrypted end-to-end -- Alert emails to Journalists and Admins are GPG-encrypted (but not signed) to provide confidentiality +- Alert emails to *Journalists* and administrators are GPG-encrypted (but not signed) to provide confidentiality - OSSEC alerts are scrubbed for sensitive contents (application data, server IPs) -- Documented deployment best practices provide instructions to strengthen Landing Page security and privacy +- Documented deployment best practices provide instructions to strengthen *Landing Page* security and privacy User Behavior and Hardware — SecureDrop Hardware Tampering or Failure in Operational Security --------------------------------------------------------------------------------------------- Attacks on user behavior or hardware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Journalist corporate workstation seized/tampered/compromised +- *Journalist* corporate workstation seized/tampered/compromised - Transfer device seized/stolen/lost -- Admin two-factor authentication device is lost or compromised +- Admin *Two-Factor Authentication* device is lost or compromised - Admin SSH Key is compromised - SecureDrop installer misconfigures server/firewall hardware -- Source uses tor2web or employer/corporate device -- Source shares that they are using SecureDrop/leaking documents -- Journalist/Admin gets phished from a submission or otherwise breaks the SVS airgap with malware +- *Source* uses tor2web or employer/corporate device +- *Source* shares that they are using SecureDrop/leaking documents +- *Journalist*/administrator gets phished from a submission or otherwise breaks the SVS airgap with malware Countermeasures in user behavior recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - :doc:`Source Guide ` gives instructions on best practices for the entire submission workflow -- Source interface banner suggests that user disables JS (high security settings in Tor Browser) +- *Source Interface* banner suggests that user disables JS (high security settings in Tor Browser) - :doc:`Journalist Guide ` informs users of malware risks, the importance of strict compartmentalization of SecureDrop-related activities - :doc:`SecureDrop Deployment Guide ` gives best practices for proper administration of the SecureDrop system, and its public-facing properties like the Landing Page -- :doc:`Admin Guide ` gives instructions for long-term maintenance of the technical properties of the SecureDrop system, as well as operations to support Journalists -- All Admin tasks are completed over Tor/Tor authenticated onion services after installation -- Any Journalist/Admin password/2FA credentials resets can only be done by an Admin with password-protected SSH capability or authenticated Onion Service credentials. +- :doc:`Admin Guide ` gives instructions for long-term maintenance of the technical properties of the SecureDrop system, as well as operations to support *Journalists* +- All adminsitrator tasks are completed over Tor/Tor authenticated *Onion Services* after installation +- Any journalist/admin password/2FA credentials resets can only be done by an administrator with password-protected SSH capability or authenticated *Onion Service* credentials. diff --git a/docs/includes/backup-and-update-reminders.txt b/docs/includes/backup-and-update-reminders.txt index a5f4d612a..9ac6603d4 100644 --- a/docs/includes/backup-and-update-reminders.txt +++ b/docs/includes/backup-and-update-reminders.txt @@ -1,7 +1,7 @@ Back Up the Tails workstations ------------------------------- USB flash drives degrade over time and vary in quality. To ensure continued -access to SecureDrop by administrators and journalists, we recommend backing up +access to SecureDrop by administrators and *Journalists*, we recommend backing up the Tails Workstations on the occasion of a new SecureDrop release, after you have completed the upgrade process for each drive. diff --git a/docs/includes/tor-security-setting.txt b/docs/includes/tor-security-setting.txt index 4328c90e0..3fd813e1c 100644 --- a/docs/includes/tor-security-setting.txt +++ b/docs/includes/tor-security-setting.txt @@ -1,6 +1,6 @@ .. note:: - If the QR code for setting up two-factor authentication in your mobile authenticator app is not + If the QR code for setting up *Two-Factor Authentication* in your mobile authenticator app is not displayed, it may be blocked by Tor Browser. You can set Tor Browser's security level to **Standard** by clicking on the Shield icon. Alternatively, you can manually type in the two-factor secret (in FreeOTP, use the **Add token** option from the menu). diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index e7be187fd..5213a6b4b 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -4,11 +4,11 @@ SecureDrop Workstation and Qubes OS What is SecureDrop Workstation? ------------------------------- -A SecureDrop Workstation is a laptop used by a journalist to connect to a SecureDrop instance and securely view submissions and reply to messages from sources. The SecureDrop Workstation is based on Qubes OS and it consists of several different carefully-configured virtual machines (VMs), so that everything a journalist needs to use SecureDrop resides on one computer. +A SecureDrop Workstation is a laptop used by a *Journalist* to connect to a SecureDrop instance and securely view submissions and reply to messages from *Sources*. The SecureDrop Workstation is based on Qubes OS and it consists of several different carefully-configured virtual machines (VMs), so that everything a *Journalist* needs to use SecureDrop resides on one computer. -Encryption and decryption happen with one click using a network-isolated VM that holds the SecureDrop Submission Key. Submissions can be viewed securely on the same machine thanks to a `feature of Qubes`_ that creates temporary VMs in which to view untrusted content without exposing the rest of the system to that content. Journalists use the SecureDrop Workstation to decrypt, view, reply to, and export submissions. +Encryption and decryption happen with one click using a network-isolated VM that holds the SecureDrop *Submission Private Key*. Submissions can be viewed securely on the same machine thanks to a `feature of Qubes`_ that creates temporary VMs in which to view untrusted content without exposing the rest of the system to that content. *Journalists* use the SecureDrop Workstation to decrypt, view, reply to, and export submissions. -A key feature of SecureDrop is that journalists can receive submissions from unknown sources without risking the security of their own machines and networks. Previously, SecureDrop accomplished this by using a physical airgap (the *Secure Viewing Station*), meaning that to view submissions, journalists would have to download them, transfer them to an encrypted USB drive, and physically take that drive to a separate, non-networked computer for decryption and viewing. SecureDrop Workstation combines all of those steps into one workflow on one machine: a Qubes computer that combines the *Journalist Workstation* and the *Secure Viewing Station*. +A key feature of SecureDrop is that *journalists* can receive submissions from unknown *Sources* without risking the security of their own machines and networks. Previously, SecureDrop accomplished this by using a physical airgap (the Secure Viewing Station), meaning that to view submissions, *Journalists* would have to download them, transfer them to an encrypted USB drive, and physically take that drive to a separate, non-networked computer for decryption and viewing. SecureDrop Workstation combines all of those steps into one workflow on one machine: a Qubes computer that combines the *Journalist Workstation* and the Secure Viewing Station. .. | securedrop_workstation_workflow | @@ -78,8 +78,8 @@ running for SecureDrop Inbox to successfully connect to the server. Installing additional software on the SecureDrop Workstation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Right now, the project is designed to make the journalist experience -easier by combining the functionality of the Journalist Workstation and Secure +Right now, the project is designed to make the *Journalist* experience +easier by combining the functionality of the *Journalist Workstation* and Secure Viewing Station. The main focus is making sure that checking SecureDrop is easier and faster. @@ -164,13 +164,13 @@ important protections that SecureDrop Workstation provides. On the other hand, v in Qubes OS or Xen Hypervisor may have a greater security impact than vulnerabilities in Tails, the operating system used on a Secure Viewing Station. -A typical SVS USB drive may contain documents from multiple sources and always +A typical SVS USB drive may contain documents from multiple *Sources* and always contains the highly sensitive private key needed to decrypt them. An adversary who does manage to achieve a security compromise (e.g., through a vulnerability in a file viewer application) can access these other files, and may be able to exfiltrate them. In spite of the air-gap, this may be possible through physical channels used to transfer files -off the SVS (e.g., USB drives), or by motivating the journalist user to perform an +off the SVS (e.g., USB drives), or by motivating the *Journalist* to perform an unsafe action (e.g., `scanning a QR code `__). Because the air-gapped SVS has no Internet access, updates can only be performed using diff --git a/docs/introduction/what_is_securedrop.rst b/docs/introduction/what_is_securedrop.rst index 7d546ef59..04d2ba1a0 100644 --- a/docs/introduction/what_is_securedrop.rst +++ b/docs/introduction/what_is_securedrop.rst @@ -133,7 +133,7 @@ message is automatically deleted. Journalists are also encouraged to regularly delete all information from the SecureDrop server and store anything they would like saved in offline storage to minimize risk. More detailed information can be found in our -:ref:`sample privacy policy `, which we encourage news organizations using SecureDrop to adopt from when creating their own. Make sure to also follow our :ref:`best practices for creating the SecureDrop landing page ` so that it logs as little information as possible as well. +:ref:`sample privacy policy `, which we encourage news organizations using SecureDrop to adopt from when creating their own. Make sure to also follow our :ref:`best practices for creating the SecureDrop *Landing Page* ` so that it logs as little information as possible as well. Security -------- @@ -189,9 +189,9 @@ and must be physically located on-site within your organization's premises. - *Application Server*: An Ubuntu server running two segmented Tor hidden services. The source connects to the *Source Interface*, a public-facing Tor - Onion Service, to send messages and documents to the journalist. The + *Onion Service*, to send messages and documents to the journalist. The journalist connects to the *Journalist Interface*, an `authenticated Tor - Onion Service + *Onion Service* `__, to download encrypted documents and respond to sources. - *Monitor Server*: diff --git a/docs/journalist/journalist.rst b/docs/journalist/journalist.rst index 27a963e9e..13e8a70f3 100644 --- a/docs/journalist/journalist.rst +++ b/docs/journalist/journalist.rst @@ -1,19 +1,19 @@ -SecureDrop for Journalists -========================== +SecureDrop for *Journalists* +============================ .. include:: ../includes/provide-feedback.txt This guide presents an overview of the SecureDrop system for a -journalist. It covers the core functions necessary to start working +*Journalist*. It covers the core functions necessary to start working with the platform: logging in securely, viewing documents, editing -documents, and interacting with sources. +documents, and interacting with *Sources*. -Journalists will use the *Journalist Workstation* to read, print, and +*Journalists* will use the *Journalist Workstation* to read, print, and otherwise prepare documents for publication. Apart from those deliberately published, decrypted documents are never opened in an environment with direct access to the Internet -SecureDrop provides a number of benefits intended to protect journalists. +SecureDrop provides a number of benefits intended to protect *Journalists*. Communications through SecureDrop are encrypted in transit, so messages cannot be easily intercepted and read while they are moving across the Internet, and are also encrypted on the server so if any attacker manages @@ -27,8 +27,8 @@ It also helps in the event of a subpoena or court order. All servers are owned by the individual news organization, so no third-party companies can be secretly subpoenaed. Additionally, SecureDrop limits the amount of metadata it collects and saves, so there's no trail showing exactly when -a journalist was speaking with a source, or details that might give -the source away. +a *Journalist* was exchanging messages with a *Source*, or details that might give +the *Source* away. For full details about what makes SecureDrop a unique and useful tool for -Journalists, :doc:`see here. ` +*Journalists*, :doc:`see here. ` diff --git a/docs/journalist/sources.rst b/docs/journalist/sources.rst index 6b01cce92..82b7dca70 100644 --- a/docs/journalist/sources.rst +++ b/docs/journalist/sources.rst @@ -1,7 +1,7 @@ Communicating with sources ========================== -The *Journalist Workstation* lets journalists check SecureDrop, decrypt and securely +The *Journalist Workstation* lets *Journalists* check SecureDrop, decrypt and securely view submissions, and reply to sources, all on the same computer. Once logged in, you will see a chat-like user interface: @@ -30,7 +30,7 @@ source list. |screenshot_sdapp_main_view| -Journalists sending replies are assigned different colors and identified with +*Journalists* sending replies are assigned different colors and identified with their initials. Move your mouse pointer over the initials to reveal the full name. diff --git a/docs/journalist/starting_client.rst b/docs/journalist/starting_client.rst index a5d2acf69..3d70c440e 100644 --- a/docs/journalist/starting_client.rst +++ b/docs/journalist/starting_client.rst @@ -36,9 +36,9 @@ Signing in To sign in, enter the username and passphrase provided to you by your SecureDrop administrator, as well as the two-factor code using the method you -have set up. If you have used SecureDrop before, these -are the same credentials that you would use to log in to the Journalist -Interface. +have set up. If you have used SecureDrop Workstation before, these +are the same credentials that you would use to log in to the *Journalist +Interface*. |screenshot_sd-app_login| @@ -53,9 +53,9 @@ Seen and unseen submissions --------------------------- Sources with submissions (messages or files) that have not been seen by -any journalist user will be displayed in bold text in the source list. +any *Journalist* will be displayed in bold text in the source list. -As soon as any journalist user clicks on a source with unseen submissions, it +As soon as any *Journalist* clicks on a source with unseen submissions, it will be marked as seen (no longer displayed in bold text) for all users. Working offline diff --git a/docs/journalist/submissions.rst b/docs/journalist/submissions.rst index ce92c3bf1..66a3362e9 100644 --- a/docs/journalist/submissions.rst +++ b/docs/journalist/submissions.rst @@ -1,7 +1,7 @@ Working with submissions ======================== -When a source submits files, you will see a Download button in the conversation +When a *Source* submits files, you will see a Download button in the conversation flow, a file size, and light-gray text that says "Encrypted File." |screenshot_file_before_download| @@ -79,7 +79,7 @@ Exporting submissions from the *Journalist Workstation* the risk of spreading malware to that computer. Make sure you understand the risks, and consider other methods to export the document (e.g., print). -If you must copy a file from your **Journalist Workstation** to another computer or device in digital form, our :doc:`recommendation ` is that journalists are provided with an d *Encrypted USB Drive*, drive which is encrypted using `VeraCrypt `__. +If you must copy a file from your *Journalist Workstation* to another computer or device in digital form, our :doc:`recommendation ` is that journalists are provided with an d *Encrypted USB Drive*, drive which is encrypted using `VeraCrypt `__. These instructions assume that you are following the recommended workflow. If you are unsure, ask your administrator. @@ -106,7 +106,7 @@ Currently, a LUKS- or VeraCrypt-encrypted USB drive is required for exporting su |screenshot_veracrypt_sd_devices_files_unlock| 4. Click **Connect**. -3. Back in your source's conversation, click **Export**. +3. Back in your *Source*'s conversation, click **Export**. |screenshot_export_dialog| 4. If you have not already unlocked your USB drive, you will be prompted for the password configured for this USB drive. @@ -192,7 +192,7 @@ are important steps you can take to protect yourself: QR codes can contain malicious links that your device will automatically visit. This can alert third-parties to your actions, reveal the identities - of your sources, and breach the air gap that is in place with the + of your *Sources*, and breach the air gap that is in place with the *Secure Viewing Station*. In general, be careful when opening any links provided in a SecureDrop diff --git a/docs/source/after_you_submit.rst b/docs/source/after_you_submit.rst index bf6ce36c3..27e45c92b 100644 --- a/docs/source/after_you_submit.rst +++ b/docs/source/after_you_submit.rst @@ -15,15 +15,15 @@ The next page will ask for your secret codename. Enter it and click |Check for response| -If a journalist has responded, their message will appear on the +If a *Journalist* has responded, their message will appear on the next page. Before leaving the page, you should delete any replies. In the unlikely event that someone learns your codename, this will ensure that they will not be able to see the previous -correspondences you had with journalists. +correspondences you had with *Journalists*. |Check for a reply| -After you delete the reply from the journalist, make sure you see the +After you delete the reply from the *Journalist*, make sure you see the confirmation message: "Reply deleted". |Delete received messages| diff --git a/docs/source/before_you_submit.rst b/docs/source/before_you_submit.rst index 529602a89..d2ca68d71 100644 --- a/docs/source/before_you_submit.rst +++ b/docs/source/before_you_submit.rst @@ -44,7 +44,7 @@ Use Tor Browser --------------- Each SecureDrop may **only** be reached through the Tor Browser. -SecureDrop pages are only available as onion services—encrypted web pages +SecureDrop pages are only available as *Onion Services*—encrypted web pages that end in ".onion," and only the Tor browser is able to open these pages. Tor is an anonymizing network that makes it difficult for anybody observing the @@ -87,14 +87,14 @@ We recommend conducting all research related to your submission in Tor Browser. If you are unsure whether you are using Tor, you can visit the address https://check.torproject.org. -All organizations operating SecureDrop have a *landing page* that provides their +All organizations operating SecureDrop have a *Landing Page* that provides their own organization-specific recommendations for using SecureDrop. We encourage -you to consider an organization's *landing page* before submitting to them. +you to consider an organization's *Landing Page* before submitting to them. .. note:: Each SecureDrop instance is operated and administered independently by - the organization you are submitting to. Only the journalists associated + the organization you are submitting to. Only the *Journalists* associated with that organization can see your submissions. Most organizations make their SecureDrop prominently accessible from their @@ -110,12 +110,12 @@ the organization that you wish to submit to. If the organization does have an entry in the SecureDrop Directory, we recommend comparing the address of the entry with the one on the - organization's own SecureDrop landing page. + organization's own SecureDrop *Landing Page*. If the two addresses don't match, please do not submit to this organization yet. Instead, please `contact us `__ through the SecureDrop website, using Tor Browser. For additional - security, you can use our .onion service address in Tor: + security, you can use our .onion address in Tor: ``sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion/report-an-error`` diff --git a/docs/source/how_to_submit.rst b/docs/source/how_to_submit.rst index f573e4f97..af1649425 100644 --- a/docs/source/how_to_submit.rst +++ b/docs/source/how_to_submit.rst @@ -3,10 +3,10 @@ How to submit .. note:: - This guide provides an introduction to using SecureDrop as a source. + This guide provides an introduction to using SecureDrop as a *Source*. It is not exhaustive, it does not address ethical or legal dimensions of whistleblowing, and it does not speak to other methods for confidentially - communicating with journalists. Please proceed at your own risk. For additional + communicating with *Journalists*. Please proceed at your own risk. For additional background, also see the Freedom of the Press Foundation guide, `How to Share Sensitive Leaks With the Press `__. @@ -45,7 +45,7 @@ will pop up explaining how to increase the security level to **Safest**. 3. If the current level is not already set to **Safest**, click **Change…** 4. Select **Safest** 5. Select **Save and restart** for the changes to take effect -6. Navigate back to the Source Interface for the SecureDrop for which you wish to submit +6. Navigate back to the *Source Interface* for the SecureDrop for which you wish to submit |Security Slider| @@ -86,11 +86,11 @@ Once you have generated a codename and put it somewhere safe, click **Submit Documents**. You will next be brought to the submission page, where you may -upload a document, enter a message to send to journalists, or both. You +upload a document, enter a message to send to *Journalists*, or both. You can only submit one document at a time, so you may want to combine several files into a ZIP archive if necessary. The maximum submission size is currently 500MB. If the files you wish to upload are over that -limit, we recommend that you send a message to the journalist explaining +limit, we recommend that you send a message to the *Journalist* explaining this, so that they can set up another method for transferring the documents. diff --git a/docs/source/source.rst b/docs/source/source.rst index 50f83274d..10f62de36 100644 --- a/docs/source/source.rst +++ b/docs/source/source.rst @@ -1,12 +1,12 @@ -SecureDrop for sources -====================== +SecureDrop for *Sources* +======================== .. note:: - This guide provides an introduction to using SecureDrop as a source. + This guide provides an introduction to using SecureDrop as a *Source*. It is not exhaustive, it does not address ethical or legal dimensions of whistleblowing, and it does not speak to other methods for confidentially - communicating with journalists. Please proceed at your own risk. For additional + communicating with *Journalists*. Please proceed at your own risk. For additional background, also see the Freedom of the Press Foundation guide, `How to Share Sensitive Leaks With the Press `__. @@ -21,14 +21,14 @@ What is SecureDrop? ------------------- SecureDrop is a tool that news organizations and NGOs use that enables secure -and anonymous communication between whistleblowers and journalists. +and anonymous communication between whistleblowers and *Journalists*. No personal information is collected; information submitted to SecureDrop is encrypted, and SecureDrop is not a “cloud” service. If you don't have sensitive information to send to a news organization, it may be okay to use a traditional methods such as phone or email when reaching out. SecureDrop can accept both messages and individual file uploads (up to 500MB). -If you have multiple files to submit, you may do that. As a source, you can also +If you have multiple files to submit, you may do that. As a *Source*, you can also return to receive follow-up correspondence with an organization, or to send additional information. Dozens of news organizations — from *ProPublica* to *The New York Times* — use SecureDrop From 1df716afc62f033fd2c7579b4a2446c237b89beb Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Mon, 15 Jun 2026 09:43:04 -0400 Subject: [PATCH 09/24] Admin and Journalist Workstation glossary cleanup --- docs/admin/deployment/https_source_interface.rst | 4 ++-- docs/admin/maintenance/rebuild_admin.rst | 4 ++-- docs/admin/reference/admin_interface.rst | 2 +- docs/appendices/glossary.rst | 9 +++++++++ 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index 1ac9a2903..26da60aa5 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -66,7 +66,7 @@ involves: 6. Downloading the certificate from the DigiCert panel. 7. Installing the cert on the SecureDrop *Application Server*, via ``securedrop-admin``. -For SecureDrop, you should perform these steps on the Admin Workstation. +For SecureDrop, you should perform these steps on the *Admin Workstation*. Below are detailed steps for use on Tails: .. code:: sh @@ -107,7 +107,7 @@ The Greek CA `Harica`_ is now providing Domain Validation (DV) certificates for ``.onion`` addresses. DV certificates are less useful for authentication purposes, but may still be used to provide another layer of encryption for *Source* traffic. The commands provide detail on how to obtain a DV certificate from Harica on -the Admin Workstation: +the *Admin Workstation*: .. code:: sh diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index f8355f2cc..51744ef34 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -201,7 +201,7 @@ local IP address as well. Enabling access from the new *Admin Workstation* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -From the *Admin Workstation*, open a terminal and copy the *Admin Workstation's* +From the *Admin Workstation*, open a terminal and copy the *Admin Workstation*'s SSH public key to the servers, substituting the values for the server administration username and server IP addresses in the commands below and entering the admin account's password when prompted: @@ -476,5 +476,5 @@ We recommend completing the following tasks after the rebuild: You may copy these files using a *Transfer Device* (which must be wiped afterwards), or boot into each of your additional Tails workstations, plug in and unlock your *Admin Workstation*'s encrypted partition via the **Places** app, and manually copy - the file(s) from the Admin Workstation to the same directory on the target Tails + the file(s) from the *Admin Workstation* to the same directory on the target Tails workstation. diff --git a/docs/admin/reference/admin_interface.rst b/docs/admin/reference/admin_interface.rst index a8fa22e21..dc1377516 100644 --- a/docs/admin/reference/admin_interface.rst +++ b/docs/admin/reference/admin_interface.rst @@ -189,7 +189,7 @@ You can update the system logo shown on the web interfaces of your SecureDrop instance via the *Admin Interface*. We recommend a size of ``500px x 450px``. Only PNG-format images are supported. To update the logo image: -#. Copy the logo image to your admin workstation +#. Copy the logo image to your *Admin Workstation* #. Click **Browse** and select the image from your workstation's filesystem #. Click **Update Logo** to upload and set the new logo diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index 409dd95e9..bd1faf15b 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -7,6 +7,10 @@ A number of terms used in this guide, and in the `SecureDrop workflow diagram `, are specific to SecureDrop. The list below attempts to enumerate and define these terms. +Admin Workstation +----------------- + +.. TODO add SDW-specific Admin Workstation Description Application Server ------------------ @@ -40,6 +44,11 @@ private key to decrypt the alerts. .. _glossary_landing_page: +Journalist Workstation +---------------------- + +.. TODO add SDW description of Journalist Workstation + Landing Page ------------ The *Landing Page* is the public-facing webpage for a SecureDrop instance. This From ea23d3f16905b456c9d38c568f6b20061af0bebc Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Mon, 15 Jun 2026 09:49:13 -0400 Subject: [PATCH 10/24] Remove title case --- docs/includes/backup-and-update-reminders.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/includes/backup-and-update-reminders.txt b/docs/includes/backup-and-update-reminders.txt index 9ac6603d4..88e798b97 100644 --- a/docs/includes/backup-and-update-reminders.txt +++ b/docs/includes/backup-and-update-reminders.txt @@ -1,4 +1,4 @@ -Back Up the Tails workstations +Back up the tails workstations ------------------------------- USB flash drives degrade over time and vary in quality. To ensure continued access to SecureDrop by administrators and *Journalists*, we recommend backing up From 5ccfb05587fea66d4ef23f14c27fdee27664418b Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Mon, 15 Jun 2026 10:04:09 -0400 Subject: [PATCH 11/24] Standardize use of onion address, onion name --- .../admin/deployment/deployment_practices.rst | 2 +- .../deployment/https_source_interface.rst | 21 +++++++++---------- docs/admin/deployment/landing_page.rst | 8 +++---- docs/admin/deployment/onion_name.rst | 12 +++++------ docs/admin/deployment/tor_pow.rst | 2 +- .../installation/create_admin_account.rst | 2 +- docs/admin/installation/install.rst | 10 ++++----- docs/admin/installation/set_up_keepassxc.rst | 4 ++-- docs/admin/maintenance/backup_and_restore.rst | 4 ++-- docs/admin/maintenance/decommission.rst | 2 +- docs/admin/maintenance/rebuild_admin.rst | 4 ++-- docs/source/before_you_submit.rst | 4 ++-- docs/source/how_to_submit.rst | 2 +- 13 files changed, 38 insertions(+), 39 deletions(-) diff --git a/docs/admin/deployment/deployment_practices.rst b/docs/admin/deployment/deployment_practices.rst index 85e5ee4c6..db0c6009c 100644 --- a/docs/admin/deployment/deployment_practices.rst +++ b/docs/admin/deployment/deployment_practices.rst @@ -30,7 +30,7 @@ SecureDrop hardware must employ a set of basic security best practices or risk losing any source protection provided by SecureDrop. Freedom of the Press Foundation eventually plans to `list all of those -SecureDrop onion URLs `__ that meet the +SecureDrop onion addresses `__ that meet the minimum requirements for deployment best practices as "verified" on its website. If your organization cannot follow the minimum guidelines, we cannot recommend your SecureDrop instance as safe to use. diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index 26da60aa5..2d414a669 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -4,13 +4,13 @@ HTTPS on the *Source Interface* .. TODO update this page for Qubes The SecureDrop *Source Interface* is served as an *Onion Service* with an ``.onion`` -URL, requiring Tor Browser to access it. While *Onion Services* provide +address, requiring Tor Browser to access it. While *Onion Services* provide end-to-end encryption by default, as well as strong anonymity, there are several reasons why you might want to consider deploying an additional layer of encryption and authentication via HTTPS: * Extended Validation (EV) certificates, which are currently the only type of - certificates that may be issued for ``*.onion`` addresses, are intended to + certificates that may be issued for onion addresses, are intended to attest to the identity of the organization running a service. This provides an additional measure of authenticity (in addition to the organization's *Landing Page* and the `SecureDrop Directory`_) to help assure *Sources* that @@ -24,18 +24,17 @@ encryption and authentication via HTTPS: .. _`SecureDrop Directory`: https://securedrop.org/directory/ -Obtaining an HTTPS certificate for onion URLs ---------------------------------------------- +Obtaining an HTTPS certificate for onion addresses +-------------------------------------------------- Digicert ~~~~~~~~ DigiCert is one of only two Certificate Authorities (CA) that issue HTTPS -certificates for ``.onion`` sites. DigiCert requires organizations to follow +certificates for onion addresses. DigiCert requires organizations to follow the Extended Validation (EV) process in order to obtain a certificate for an Onion URL, so you should start by reviewing `DigiCert's documentation`_ for -obtaining a ``.onion`` certificate. - +obtaining an HTTPS certificate for an onion address. The EV certificates display information about an organization under the certificate icon beside the URL bar: @@ -49,9 +48,9 @@ verification already available in the `SecureDrop Directory`_. In order to obtain an HTTPS certificate for your SecureDrop instance, `contact DigiCert directly`_. As part of the Extended Validation, you will be required both to confirm your affiliation with the organization, -and to demonstrate control over the Onion URL for your *Source* Interface. +and to demonstrate control over the onion address for your *Source* Interface. -In order for you to demonstrate control over the Onion URL for your *Source* +In order for you to demonstrate control over the onion address for your *Source* Interface, you will need to perform a signing operation leveraging the private key of the *Onion Service* used on the *Source* Interface. DigiCert will provide you with some text and request that you use that text @@ -104,7 +103,7 @@ see instructions below for installing the certificate on the SecureDrop *Applica Harica ~~~~~~ The Greek CA `Harica`_ is now providing Domain Validation (DV) certificates for -``.onion`` addresses. DV certificates are less useful for authentication purposes, +onion addresses. DV certificates are less useful for authentication purposes, but may still be used to provide another layer of encryption for *Source* traffic. The commands provide detail on how to obtain a DV certificate from Harica on the *Admin Workstation*: @@ -144,7 +143,7 @@ Activating HTTPS in SecureDrop Make sure you have :doc:`installed SecureDrop already `. -Make note of the *Source Interface* Onion URL. Now from a Terminal +Make note of the *Source Interface* onion address. Now from a Terminal on your *Admin Workstation*: .. code:: sh diff --git a/docs/admin/deployment/landing_page.rst b/docs/admin/deployment/landing_page.rst index c7d70fa14..cf490d626 100644 --- a/docs/admin/deployment/landing_page.rst +++ b/docs/admin/deployment/landing_page.rst @@ -115,7 +115,7 @@ most significant benefit is that it will be easier for potential *Sources* to find your SecureDrop instance. Additionally, being included in the directory makes you eligible for :doc:`an onion name. ` This improves the experience by turning a lengthy, non-descriptive address -into one that is short and memorable. For example, a long .onion address +into one that is short and memorable. For example, a long onion address might look like: :: sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion @@ -251,15 +251,15 @@ services intercept requests between a potential *Source* and the SecureDrop .. _`track`: https://github.com/Synzvato/decentraleyes/wiki/Frequently-Asked-Questions -Do not hyperlink .onion addresses +Do not hyperlink onion addresses --------------------------------- Because a visitor to your *Landing Page* may not be using Tor Browser yet, -clicking a link to your SecureDrop instance or to any other .onion address may +clicking a link to your SecureDrop instance or to any other onion address may result in an error message. Worse, depending on the browser and network configuration, it may cause lookups that an adversary can use to identify SecureDrop-related behavior. -Instead, we recommend including .onion addresses in plain text, without a +Instead, we recommend including onion addresses in plain text, without a hyperlink. If you have been provided a short onion name for your instance, this address diff --git a/docs/admin/deployment/onion_name.rst b/docs/admin/deployment/onion_name.rst index 91136f0aa..c50dfe09e 100644 --- a/docs/admin/deployment/onion_name.rst +++ b/docs/admin/deployment/onion_name.rst @@ -8,7 +8,7 @@ Onion names are short, memorable addresses that visitors can use to access an *Onion Service* (e.g., a news organization's SecureDrop) using Tor Browser. Imagine a SecureDrop instance for a new organization called -*The New York World* with a .onion address like this: +*The New York World* with an onion address like this: `sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion` @@ -24,7 +24,7 @@ How they work ^^^^^^^^^^^^^ Onion names are supported in the desktop version of Tor Browser (introduced -in version 9.5). The mapping between onion names and the full-length .onion +in version 9.5). The mapping between onion names and the full-length onion addresses is done using a custom, signed ruleset for SecureDrop instances maintained by Freedom of the Press Foundation. The ruleset is updated automatically by Tor Browser, and no information is sent to third party servers @@ -39,7 +39,7 @@ in some form. The underlying implementation and the address format may change in future iterations of this feature. To the extent that any changes are required, we will reach out to coordinate them with you. -Getting An onion name +Getting an onion name ^^^^^^^^^^^^^^^^^^^^^ Freedom of the Press Foundation maintains onion names for SecureDrop instances @@ -59,8 +59,8 @@ eligible for inclusion, your SecureDrop and its associated clearnet *Landing Page* must be set up consistent with the best practices recommended in our documentation. -If you are already part of the SecureDrop directory and would like an -Onion Name, :ref:`please contact us.` +If you are already part of the SecureDrop directory and would like a short +onion name, :ref:`please contact us.` Does This Replace the original address? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -104,4 +104,4 @@ reasons including but not limited to: Unless the removal is an emergency, we will attempt to offer a substantial grace period prior to the revocation of an onion name, to ensure you can inform -your *Sources* about the change to your .onion address. +your *Sources* about the change to your onion address. diff --git a/docs/admin/deployment/tor_pow.rst b/docs/admin/deployment/tor_pow.rst index dfc4bab52..b20f2cccc 100644 --- a/docs/admin/deployment/tor_pow.rst +++ b/docs/admin/deployment/tor_pow.rst @@ -2,7 +2,7 @@ Tor proof-of-work defense on the *Source Interface* =================================================== The SecureDrop *Source Interface* is served as an *Onion Service* with an -``.onion`` URL, requiring Tor Browser to access it over the Tor network. Tor is +onion address, requiring Tor Browser to access it over the Tor network. Tor is sometimes targeted for denial-of-service (DoS) attacks that can `slow down the Tor network as a whole `_ as well as burden individual *Onion Services*, including SecureDrops. diff --git a/docs/admin/installation/create_admin_account.rst b/docs/admin/installation/create_admin_account.rst index 499db9dde..9834bb634 100644 --- a/docs/admin/installation/create_admin_account.rst +++ b/docs/admin/installation/create_admin_account.rst @@ -53,7 +53,7 @@ Passphrases include the spaces between the words, but not leading or trailing whitespace. Be sure to save this passphrase in the appropriate KeePassXC database. Once that's done, you should open Tor Browser |TorBrowser| and -navigate to the *Journalist Interface*'s .onion address. Verify that you +navigate to the *Journalist Interface*'s onion address. Verify that you can log in to the *Journalist Interface* with the admin account you just created. diff --git a/docs/admin/installation/install.rst b/docs/admin/installation/install.rst index 70ec0a2c6..cffad0cb5 100644 --- a/docs/admin/installation/install.rst +++ b/docs/admin/installation/install.rst @@ -293,13 +293,13 @@ Once the installation is complete, addresses and credentials for each V3 *Onion Services* ------------------- -- ``app-sourcev3-ths`` contains the v3 ``.onion`` address of the *Source +- ``app-sourcev3-ths`` contains the v3 onion address of the *Source Interface*. -- ``app-journalist.auth_private`` contains the ``onion`` address and private key +- ``app-journalist.auth_private`` contains the onion address and private key providing access to the *Journalist Interface*. -- ``app-ssh.auth_private`` contains the ``onion`` address and private key +- ``app-ssh.auth_private`` contains the onion address and private key providing SSH access to the *Application Server*. -- ``mon-ssh.auth_private`` contains the ``onion`` address and private key +- ``mon-ssh.auth_private`` contains the onion address and private key providing SSH access to the *Monitor Server*. - ``tor_v3_keys.json`` contains the keypairs required for access to the *Journalist Interface* and SSH access to the servers - it is required for @@ -310,7 +310,7 @@ V3 *Onion Services* or copied from the *Admin Workstation* for any purpose other than tasks such as performing backups or onboarding new users. -The dynamic inventory file will automatically read the ``onion`` addresses from +The dynamic inventory file will automatically read the onion addresses from the ``app-ssh.auth_private`` and ``mon-ssh.auth_private`` files and use them to connect to the servers over SSH during subsequent playbook runs. diff --git a/docs/admin/installation/set_up_keepassxc.rst b/docs/admin/installation/set_up_keepassxc.rst index 86d422ad9..fbf3289ec 100644 --- a/docs/admin/installation/set_up_keepassxc.rst +++ b/docs/admin/installation/set_up_keepassxc.rst @@ -52,9 +52,9 @@ the template are: **Admin**: - Admin account username -- *Application Server* SSH Onion URL +- *Application Server* SSH Onion address - Email account for sending OSSEC alerts -- *Monitor Server* SSH Onion URL +- *Monitor Server* SSH Onion address - Network Firewall Admin Credentials - *OSSEC Alert Public Key* - SecureDrop Login Credentials diff --git a/docs/admin/maintenance/backup_and_restore.rst b/docs/admin/maintenance/backup_and_restore.rst index c09d613a2..e6b0c2009 100644 --- a/docs/admin/maintenance/backup_and_restore.rst +++ b/docs/admin/maintenance/backup_and_restore.rst @@ -3,7 +3,7 @@ Backing up and restoring servers Maintaining regular backups helps guard against data loss and hardware failure. Having a recent backup will allow you to redeploy -SecureDrop without changing onion URLs, recreating journalist accounts, +SecureDrop without changing onion addresses, recreating journalist accounts, or losing previous submissions from *Sources*. .. note:: Only the *Application Server* is backed up and restored, including @@ -315,7 +315,7 @@ Data-only restores '''''''''''''''''' The ``restore`` command normally restores both the data and the Tor -configuration of an instance, including the .onion URLs for your instance. +configuration of an instance, including the onion addresses for your instance. You may, however, restore data, such as submissions and journalist and source accounts, without altering an instance's Tor configuration, with diff --git a/docs/admin/maintenance/decommission.rst b/docs/admin/maintenance/decommission.rst index 23de70231..0bae1fc63 100644 --- a/docs/admin/maintenance/decommission.rst +++ b/docs/admin/maintenance/decommission.rst @@ -69,7 +69,7 @@ SecureDrop instance. alias and PGP key used for receiving OSSEC alerts, in order to retire them. #. **Optional: Save a backup.** - If you want to save a backup of the *Application Server* (for example, to reinstall SecureDrop in the future using the same `.onion` address), follow + If you want to save a backup of the *Application Server* (for example, to reinstall SecureDrop in the future using the same onion address), follow our :doc:`backup guidelines `. Once the backup has been created, you can move it onto an encrypted device, such as a LUKS-encrypted drive. You will also require a backup of the *Submission Private Key* found on the diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index 51744ef34..ab44dd12b 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -123,7 +123,7 @@ chosen, you can check as follows: and password. #. Check to see if an SSH hidden proxy service exists, using the command ``sudo cat /var/lib/tor/services/sshv3/hostname``. If this file exists and - includes an Onion URL, your instance is set up + includes an onion address, your instance is set up to use SSH over Tor and you should configure temporary SSH access using :ref:`these instructions `. If not, your instance is set up to use SSH over LAN, and you should follow @@ -422,7 +422,7 @@ When the installation completes, run: Once this command completes: - verify that the Hostname references in ``~/.ssh/config`` have been updated - to refer to Onion URLs instead of direct IP addresses + to refer to onion addresses instead of direct IP addresses - verify that you can connect to the servers using ``ssh app`` and ``ssh mon`` - verify that the *SecureDrop Menu* for the *Source* and *Journalist Interfaces* diff --git a/docs/source/before_you_submit.rst b/docs/source/before_you_submit.rst index d2ca68d71..4dfff45f4 100644 --- a/docs/source/before_you_submit.rst +++ b/docs/source/before_you_submit.rst @@ -115,13 +115,13 @@ the organization that you wish to submit to. If the two addresses don't match, please do not submit to this organization yet. Instead, please `contact us `__ through the SecureDrop website, using Tor Browser. For additional - security, you can use our .onion address in Tor: + security, you can use our onion address in Tor: ``sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion/report-an-error`` We will update the directory entry if the information in it is incorrect. -Once you have located the ".onion" address, copy it into the address bar in Tor +Once you have located the onion address, copy it into the address bar in Tor Browser to visit the organization's SecureDrop. .. _`SecureDrop Directory`: https://securedrop.org/directory \ No newline at end of file diff --git a/docs/source/how_to_submit.rst b/docs/source/how_to_submit.rst index af1649425..e45b833f3 100644 --- a/docs/source/how_to_submit.rst +++ b/docs/source/how_to_submit.rst @@ -20,7 +20,7 @@ How to submit Making your first submission ---------------------------- -Open Tor Browser and navigate to the .onion address for the SecureDrop you wish +Open Tor Browser and navigate to the onion address for the SecureDrop you wish to make a submission to. The page will invite you to get started with your first submission or to log in. It should have a logo specific to the organization you are submitting to. From 60f1e9f27273274e08b054130564e09bf442cc87 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Mon, 15 Jun 2026 10:19:13 -0400 Subject: [PATCH 12/24] make commands to be copied easier to copy --- .../deployment/https_source_interface.rst | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index 2d414a669..37bd429ec 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -71,9 +71,9 @@ Below are detailed steps for use on Tails: .. code:: sh # On the Admin Workstation, generate the first CSR - $ mkdir ~/Persistent/sd-https-key-generation - $ cd ~/Persistent/sd-https-key-generation - $ openssl req -new -newkey rsa:4096 -nodes -keyout sd.key -out sd.csr + mkdir ~/Persistent/sd-https-key-generation + cd ~/Persistent/sd-https-key-generation + openssl req -new -newkey rsa:4096 -nodes -keyout sd.key -out sd.csr That command will generate two files: ``sd.key``, the private key that will be used by the SecureDrop *Application Server*; and ``sd.csr``, @@ -86,15 +86,15 @@ an email with a nonce. Use that value to generate the second CSR: .. code:: sh # On the Admin Workstation, generate the second CSR - $ source /usr/share/securedrop-admin/venv/bin/activate - $ torify pip install onionmaker + source /usr/share/securedrop-admin/venv/bin/activate + torify pip install onionmaker # Copy the *Onion Service* key material to the Admin Workstation: - $ mkdir hsdir - $ ssh app sudo cat /var/lib/tor/services/sourcev3/hostname > hsdir/hostname - $ ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_public_key > hsdir/hs_ed25519_public_key - $ ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_secret_key > hsdir/hs_ed25519_secret_key + mkdir hsdir + ssh app sudo cat /var/lib/tor/services/sourcev3/hostname > hsdir/hostname + ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_public_key > hsdir/hs_ed25519_public_key + ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_secret_key > hsdir/hs_ed25519_secret_key # Generate (second) CSR - $ onionmaker hsdir + onionmaker hsdir The CSR will be printed to stdout, starting with ``BEGIN CERTIFICATE REQUEST``. Save that CSR, and send it via email reply to DigiCert. After you receive your final certificate, @@ -111,24 +111,24 @@ the *Admin Workstation*: .. code:: sh # On the Admin Workstation - $ cd ~/ - $ git clone --recurse-submodules https://github.com/HARICA-official/onion-csr.git - $ cd onion-csr - $ sudo apt-get update && sudo apt-get install -y ruby-dev rubygems build-essential + cd ~/ + git clone --recurse-submodules https://github.com/HARICA-official/onion-csr.git + cd onion-csr + sudo apt-get update && sudo apt-get install -y ruby-dev rubygems build-essential # If prompted, choose to install the packages "Only once" - $ torify gem install --user-install ffi - $ gcc -shared -o libed25519.so -fPIC ed25519/src/*.c + torify gem install --user-install ffi + gcc -shared -o libed25519.so -fPIC ed25519/src/*.c # Confirm the binary works by checking that "help" info is displayed: - $ ./onion-csr.rb -h + ./onion-csr.rb -h # Copy the Onion service key material to the Admin Workstation: - $ mkdir hsdir - $ ssh app sudo cat /var/lib/tor/services/sourcev3/hostname > hsdir/hostname - $ ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_public_key > hsdir/hs_ed25519_public_key - $ ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_secret_key > hsdir/hs_ed25519_secret_key + mkdir hsdir + ssh app sudo cat /var/lib/tor/services/sourcev3/hostname > hsdir/hostname + ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_public_key > hsdir/hs_ed25519_public_key + ssh app sudo cat /var/lib/tor/services/sourcev3/hs_ed25519_secret_key > hsdir/hs_ed25519_secret_key # Generate CSR - $ ./onion-csr.rb -n -d ./hsdir + ./onion-csr.rb -n -d ./hsdir .. _`specific URL`: https://docs.digicert.com/manage-certificates/organization-domain-management/managing-domains-cc-guide/add-authorize-domain-http-dcv/ .. _`DigiCert's documentation`: https://www.digicert.com/blog/ordering-a-onion-certificate-from-digicert From 9501d0b23ad4c01d16d2c1405c09c660ceb2e18d Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Wed, 17 Jun 2026 06:01:34 -0400 Subject: [PATCH 13/24] Standardize USB flash drive and related changes, add Export Device back to glossary --- docs/admin/deployment/landing_page.rst | 2 +- docs/admin/installation/firewall_opnsense.rst | 2 +- docs/admin/installation/firewall_pfsense.rst | 2 +- .../installation/generate_submission_key.rst | 4 +-- docs/admin/installation/hardware.rst | 24 +++++++-------- docs/admin/installation/install.rst | 2 +- .../installation/installation_overview.rst | 4 +-- docs/admin/installation/passphrases.rst | 6 ++-- docs/admin/installation/prepare_sdw.rst | 14 ++++----- docs/admin/installation/prepare_servers.rst | 4 +-- docs/admin/installation/provisioning_usb.rst | 12 ++++---- docs/admin/maintenance/backup_and_restore.rst | 16 +++++----- docs/admin/maintenance/bios_server.rst | 14 ++++----- docs/admin/maintenance/decommission.rst | 20 ++++++------- docs/admin/maintenance/rebuild_admin.rst | 30 +++++++++---------- docs/admin/migration/admin_migration.rst | 20 ++++++------- docs/admin/reference/offboarding.rst | 6 ++-- docs/admin/reference/securedrop_admin.rst | 2 +- .../bios_workstation.rst | 18 +++++------ docs/appendices/glossary.rst | 6 ++++ docs/appendices/threat_model/mitigations.rst | 2 +- docs/introduction/securedrop_workstation.rst | 8 ++--- docs/journalist/submissions.rst | 18 +++++------ docs/source/before_you_submit.rst | 2 +- 24 files changed, 122 insertions(+), 116 deletions(-) diff --git a/docs/admin/deployment/landing_page.rst b/docs/admin/deployment/landing_page.rst index cf490d626..342c45e8d 100644 --- a/docs/admin/deployment/landing_page.rst +++ b/docs/admin/deployment/landing_page.rst @@ -77,7 +77,7 @@ is to adhere to best practices. You can use a separate computer you've designated specifically to handle the submission process. Or, you can use an alternate operating system like Tails, -which boots from a USB stick and erases your activity at the end of every session. +which boots from a USB flash drive and erases your activity at the end of every session. A file contains valuable `metadata `_ about its source — when it was created and downloaded, what machine was involved, the machine's owner, etc. diff --git a/docs/admin/installation/firewall_opnsense.rst b/docs/admin/installation/firewall_opnsense.rst index e372820a4..4282ec68a 100644 --- a/docs/admin/installation/firewall_opnsense.rst +++ b/docs/admin/installation/firewall_opnsense.rst @@ -63,7 +63,7 @@ Connect to the OPNSense web GUI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #. If you have not already done so, boot the *Admin Workstation* into - Tails using its designated USB drive. + Tails using its designated USB flash drive. #. Connect the *Admin Workstation* to the LAN interface. You should see a popup notification in Tails that says "Connection Established". If you click diff --git a/docs/admin/installation/firewall_pfsense.rst b/docs/admin/installation/firewall_pfsense.rst index 9cf00f0b1..a72d13864 100644 --- a/docs/admin/installation/firewall_pfsense.rst +++ b/docs/admin/installation/firewall_pfsense.rst @@ -72,7 +72,7 @@ Connect to the pfSense web GUI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #. If you have not already done so, boot the *Admin Workstation* into - Tails using its designated USB drive. + Tails using its designated USB flash drive. #. Connect the *Admin Workstation* to the LAN[1] interface. You should see a popup notification in Tails that says "Connection Established". If you click diff --git a/docs/admin/installation/generate_submission_key.rst b/docs/admin/installation/generate_submission_key.rst index 1480148a2..2206ff564 100644 --- a/docs/admin/installation/generate_submission_key.rst +++ b/docs/admin/installation/generate_submission_key.rst @@ -11,7 +11,7 @@ read on the *Secure Viewing Station*. We will now generate the *Submission Key*. If you aren't still logged into your *Secure Viewing Station* from the previous step, boot it using its Tails USB -stick, with persistence enabled. +flash drive, with persistence enabled. .. important:: The private key you will generate in the following steps is one of the most important secrets associated with your SecureDrop installation. This procedure @@ -85,7 +85,7 @@ write down the 40 hexadecimal digits under *Fingerprint*. screenshot. At this point, you are done with the *Secure Viewing Station* for now. You -can shut down Tails, grab the *Admin Workstation* Tails USB, and move over to your regular +can shut down Tails, grab the *Admin Workstation* USB flash drive, and move over to your regular workstation. .. |GPG generate key| image:: ../../images/install/run_gpg_gen_key.png diff --git a/docs/admin/installation/hardware.rst b/docs/admin/installation/hardware.rst index 9b1b4d526..2e2aecd1f 100644 --- a/docs/admin/installation/hardware.rst +++ b/docs/admin/installation/hardware.rst @@ -22,8 +22,8 @@ For an installation of SecureDrop, you must acquire: * At least 1 dedicated physical laptop for the *SecureDrop Workstation*. * A dedicated network firewall with at least 4 NICs. * At least 3 ethernet cables. -* At least 1 USB drive for OS installation media, - and at least 1 more USB drive if needed as an *Export Device*. +* At least 1 USB flash drive for OS installation media, + and at least 1 more USB flash drive if needed as an *Export Device*. .. _Optional Hardware: @@ -32,10 +32,10 @@ Additionally, you may want to consider the following purchases: * a printer without wireless network support, to use in combination with the *SecureDrop Workstation*. * an external hard drive for server backups. -* a USB drive to store backups of your *SecureDrop Workstation*. +* a USB flash drive to store backups of your *SecureDrop Workstation*. * a security key for HOTP authentication, such as a YubiKey, if you want to use hardware-based *Two-Factor Authentication* instead of a mobile app. -* a USB drive with a physical write protection switch, or a USB write blocker, +* a USB flash drive with a physical write protection switch, or a USB write blocker, if you want to mitigate the risk of introducing malware from your network to your *SecureDrop Workstation* during repeated use of an *Export Device*. @@ -356,26 +356,26 @@ device. We currently support two options for *Two-Factor Authentication*: .. include:: ../../includes/otp-app.txt -USB drives -^^^^^^^^^^ +USB flash drives +^^^^^^^^^^^^^^^^ *Journalists* need physical media (known as the *Export Device*) to copy submissions to their everyday workstation. -Our standard recommendation is to use USB drives, in combination with +Our standard recommendation is to use USB flash drives, in combination with volume-level encryption and careful data hygiene. We also urge the use of a secure printer or similar analog conversions to export documents from the *SecureDrop Workstation*, whenever possible. -You may want to consider enforcing write protection on USB drives when only read +You may want to consider enforcing write protection on USB flash drives when only read access is needed. We encourage you to evaluate these options in the context of your own threat model. When it is consistently applied and correctly implemented in hardware, write protection can prevent the spread of malware from the computers used to read -files stored on an *Export Device*. The two main options to achieve write protection of USB drives are: +files stored on an *Export Device*. The two main options to achieve write protection of USB flash drives are: - drives with a built-in physical write protection switch - a separate USB write blocker device as used in forensic applications. -For USB drives with physical write protection, we have tested the `Kanguru SS3 `__, +For USB flash drives with physical write protection, we have tested the `Kanguru SS3 `__, and it works well with and without encryption. It is especially advisable to enable write protection before attaching an @@ -385,10 +385,10 @@ of the Tails operating system. Please review our :doc:`setup guide ` for additional background on setting up *Export Devices*. -We also recommend buying an additional USB drive for making regular backups of +We also recommend buying an additional USB flash drive for making regular backups of your *SecureDrop Workstations*. -One thing to consider is that you are going to have *a lot* of USB drives to +One thing to consider is that you are going to have *a lot* of USB flash drives to keep track of, so you should consider how you will label or identify them and buy drives accordingly. Drives that are physically larger are often easier to label (e.g. with tape, printed sticker or a label from a labelmaker). diff --git a/docs/admin/installation/install.rst b/docs/admin/installation/install.rst index cffad0cb5..b7a986522 100644 --- a/docs/admin/installation/install.rst +++ b/docs/admin/installation/install.rst @@ -50,7 +50,7 @@ First, generate the new SSH keypair: You'll be asked to "Enter file in which to save the key" Type **Enter** to use the default location. -Given that this key is on the encrypted persistence of a Tails USB, +Given that this key is on the encrypted persistence of a Tails USB flash drive, you do not need to add an additional passphrase to protect the key. If you do elect to use a passphrase, note that you will need to manually type it (Tails' pinentry will not allow you to copy and paste a passphrase). diff --git a/docs/admin/installation/installation_overview.rst b/docs/admin/installation/installation_overview.rst index 7a056d5f7..0f2dc66cb 100644 --- a/docs/admin/installation/installation_overview.rst +++ b/docs/admin/installation/installation_overview.rst @@ -4,7 +4,7 @@ Installation overview Migrating from a Tails-based SecureDrop --------------------------------------- -If you are migrating from an older Tails-based SecureDrop, using the separate *Secure Viewing Station*, *Journalist Workstation* and *Admin Workstation* USB drives, then skip to the :ref:`Migration Overview`. +If you are migrating from an older Tails-based SecureDrop, using the separate *Secure Viewing Station*, *Journalist Workstation* and *Admin Workstation* USB flash drives, then skip to the :ref:`Migration Overview`. Setting expectations -------------------- @@ -62,7 +62,7 @@ A summary of the major steps is as follow: Optionally: #. Prepare additional *Journalist Workstations* for use by *Journalists*. -#. Prepare encrypted USB *Export Drives*. +#. Prepare encrypted *Export Devices*. Minimum security requirements for a *SecureDrop Workstation* ------------------------------------------------------------ diff --git a/docs/admin/installation/passphrases.rst b/docs/admin/installation/passphrases.rst index cc55e226c..1542f46c0 100644 --- a/docs/admin/installation/passphrases.rst +++ b/docs/admin/installation/passphrases.rst @@ -47,12 +47,12 @@ The *Journalist* will also need to have a two-factor authenticator, such as an A - The secret code for the *Journalist*'s *Two-Factor Authentication*. -*Export USB* +*Export Device* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -We recommend using encrypted USB drives for transferring files off of the *Journalist Workstation*. +We recommend using encrypted USB flash drives for transferring files off of the *Journalist Workstation*. -For every export operation, the user will need to enter the USB drive's encryption passphrase at least twice (on the computer they're copying from, and on the computer they're copying to). To make it easy for them to find the passphrase, we recommend storing it in the *Journalist*'s own existing password manager, which should be accessible using their smartphone. +For every export operation, the user will need to enter the USB flash drive's encryption passphrase at least twice (on the computer they're copying from, and on the computer they're copying to). To make it easy for them to find the passphrase, we recommend storing it in the *Journalist*'s own existing password manager, which should be accessible using their smartphone. If your organization is not using a password manager already, please see the `Freedom of the Press Foundation guide `__ diff --git a/docs/admin/installation/prepare_sdw.rst b/docs/admin/installation/prepare_sdw.rst index 6f36e156f..9a494fa00 100644 --- a/docs/admin/installation/prepare_sdw.rst +++ b/docs/admin/installation/prepare_sdw.rst @@ -18,13 +18,13 @@ Prerequisites In order to install SecureDrop Workstation and configure it to use an existing SecureDrop instance, you will need the following: - A Qubes-compatible laptop based on the :ref:`hardware` recommendations. -- Qubes installation medium - this guide assumes the use of a USB 3.0 stick. Qubes may also be installed via optical media, which may make more sense depending on your `security concerns `_. +- Qubes installation medium - this guide assumes the use of a USB 3.0 flash drive. Qubes may also be installed via optical media, which may make more sense depending on your `security concerns `_. - .. note:: A USB stick with a Type-A connector is recommended, as USB-C ports may be disabled on your computer when the BIOS settings detailed below are applied. + .. note:: A USB flash drive with a Type-A connector is recommended, as USB-C ports may be disabled on your computer when the BIOS settings detailed below are applied. - A working computer (Linux is recommended and assumed in this guide) to use for verification and creation of the Qubes installation medium. - .. note:: A Tails USB can be used to perform the tasks below, but due to the size of the Qubes installation ISO, it may make sense to download it on another computer rather than via Tor, and then to use a USB stick to transfer it to Tails for verification and creation of the installation medium. + .. note:: Tails can be used to perform the tasks below, but due to the size of the Qubes installation ISO, it may make sense to download it on another computer rather than via Tor, and then to use a USB flash drive to transfer it to Tails for verification and creation of the installation medium. - A password manager or other system to generate and store strong passphrases for Qubes full disk encryption (FDE) and user accounts. @@ -120,14 +120,14 @@ The output should look like this: Specifically, you will want to make sure that you see "Good signature" listed in the text. If it does not report a good signature, try deleting the ISO and downloading it again. -Once you've verified the ISO, copy it to your installation medium - for example, if using Linux and a USB stick, using the command: +Once you've verified the ISO, copy it to your installation medium - for example, if using Linux and a USB flash drive, using the command: .. code-block:: sh sudo dd if=Qubes-R4.2.4-x86_64.iso of=/dev/sdX bs=1048576 && sync where ``if`` is set to the path to your downloaded ISO file and ``of`` is set to -the block device corresponding to your USB stick. Note that any data on the USB stick will be overwritten. +the block device corresponding to your USB flash drive. Note that any data on the USB flash drive will be overwritten. .. caution:: Make sure to verify that you have the correct device name using, for example, the ``lsblk`` command. You should write to the full device (eg. ``/dev/sdc``) rather than to a partition (eg. ``/dev/sdc1``). @@ -138,7 +138,7 @@ Before starting the installation, please ensure that: - the computer is charging - all USB devices like YubiKeys, mice and keyboards are disconnected -To begin the Qubes installation, connect the Qubes install USB to your target computer and boot from it. You may need to bring up a boot menu at startup to do so - on Lenovo laptops, for example, you can do so by pressing **F12** on boot. +To begin the Qubes installation, connect the Qubes installation drive you just created to your target computer and boot from it. You may need to bring up a boot menu at startup to do so - on Lenovo laptops, for example, you can do so by pressing **F12** on boot. Follow the `installation documentation `_ to install Qubes on your computer, ensuring that you: @@ -149,7 +149,7 @@ Follow the `installation documentation `__ has detailed instructions on how to -to create a bootable Ubuntu Server USB drive. +to create a bootable Ubuntu Server USB flash drive. Follow the instructions at the link below for your operating system, then return to this page: @@ -143,7 +143,7 @@ to this page: - `Create a bootable Ubuntu USB drive on Linux `__ -With the Ubuntu Server install USB ready, you may now proceed to the installation. +With the Ubuntu Server install USB flash drive ready, you may now proceed to the installation. Perform the installation ~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/admin/installation/provisioning_usb.rst b/docs/admin/installation/provisioning_usb.rst index 5276c2773..de58d307a 100644 --- a/docs/admin/installation/provisioning_usb.rst +++ b/docs/admin/installation/provisioning_usb.rst @@ -1,5 +1,5 @@ -Provisioning export USB devices -=============================== +Provisioning USB *Export Devices* +================================= The *Journalist Workstation* supports the export of submissions from the SecureDrop Inbox to a LUKS- or VeraCrypt-encrypted USB *Export Device*. @@ -7,18 +7,18 @@ to a LUKS- or VeraCrypt-encrypted USB *Export Device*. Creating a LUKS-encrypted drive ------------------------------- -.. note:: LUKS-encrypted devices can only be used with Linux-based +.. note:: LUKS-encrypted drives can only be used with Linux-based systems such as Tails. For compatibility with macOS and Windows systems, use VeraCrypt. In order to provision a LUKS-encrypted *Export Device* for use a *Journalist Workstation*, -you will need a fresh USB stick and a Linux-based system. Tails is recommended - +you will need a fresh USB flash drive and a Linux-based system. Tails is recommended - if available, the *Secure Viewing Station* can be used, adding the extra benefit of its airgap: - First, boot into the *Secure Viewing Station*, without unlocking its persistent volume or setting an admin password. - Next, open the Disks utility: **Applications ▸ Utilities ▸ Disks**. -- Connect the fresh USB stick and select it in the list in the left-hand panel. +- Connect the fresh USB flash drive and select it in the list in the left-hand panel. .. warning:: The formatting operation will wipe any data on an existing partition. Make sure that you select the correct device! @@ -57,7 +57,7 @@ Creating a VeraCrypt-encrypted drive - Click **Create Volume** - Select **Encrypt a non-system partition/drive** and click **Next**. - Select **Standard VeraCrypt volume** and click **Next** -- Connect your fresh USB stick and click **Select Device...** to choose your USB. +- Connect your fresh USB flash drive and click **Select Device...** to select it. - You may see a warning that says "We strongly recommend that inexperienced users create a VeraCrypt file container on the selected device/partition, diff --git a/docs/admin/maintenance/backup_and_restore.rst b/docs/admin/maintenance/backup_and_restore.rst index e6b0c2009..99f7d43ce 100644 --- a/docs/admin/maintenance/backup_and_restore.rst +++ b/docs/admin/maintenance/backup_and_restore.rst @@ -93,7 +93,7 @@ archive in the output of the backup command. .. warning:: The backup file contains sensitive information! It should only be stored on the *Admin Workstation*, or on a - dedicated encrypted backup USB. + dedicated encrypted backup USB flash drive. .. include:: ../../includes/backup-warning.txt Restoring from a backup @@ -174,7 +174,7 @@ Moving a SecureDrop instance to new hardware involves: .. note:: You will be generating fresh SSH credentials for the servers, and any - other *Admin Workstation* USBs will have to be + other *Admin Workstation* USB flash drives will have to be :ref:`provisioned with updated credentials `. #. Ensure your *Admin Workstation* is connected to a LAN port on your @@ -234,18 +234,18 @@ Moving a SecureDrop instance to new hardware involves: Repair additional *Admin Workstations* '''''''''''''''''''''''''''''''''''''' -If you have additional *Admin Workstation* USBs, they will no longer have +If you have additional *Admin Workstation* USB flash drives, they will no longer have valid SSH credentials and will need to be repaired. In these steps, the "primary *Admin Workstation*" is the one which you used to complete the above migration process. #. Prepare a fresh - :doc:`LUKS-encrypted USB `. + :doc:`LUKS-encrypted USB flash drive `. You may record the passphrase in your primary *Admin Workstation* KeePassXC password manager. #. Copy the following files from your primary *Admin Workstation* onto the - LUKS-encrypted USB: + LUKS-encrypted USB flash drive: - ``~/.config/securedrop-admin/tor_v3_keys.json`` - ``~/.config/securedrop-admin/mon-ssh.auth_private`` @@ -257,7 +257,7 @@ process. *Admin Workstation*, you may do so. In this case, copy only the first two files above to your additional *Admin Workstations*. - Generate per-machine SSH keys and use a clean LUKS-encrypted USB drive + Generate per-machine SSH keys and use a clean LUKS-encrypted USB flash drive to transfer the public portions of those keys to your primary *Admin Workstation*, where you will then add them to the servers' ``authorized_keys`` files, as described :ref:`here `. @@ -266,7 +266,7 @@ process. #. Boot into each additional *Admin Workstation*. Set `an administration password`_ and unlock the persistent volume on the Tails welcome screen. - Once logged in, attach the LUKS-encrypted USB + Once logged in, attach the LUKS-encrypted USB flash drive and unlock it. #. Ensure that this *Admin Workstation* is using an up-to-date version of Tails @@ -297,7 +297,7 @@ process. and ``ssh mon uptime``. #. Once all *Admin Workstations* have been updated, securely wipe the files on - the LUKS-encrypted USB, by right-clicking them in the file manager and selecting + the LUKS-encrypted USB flash drive, by right-clicking them in the file manager and selecting **Wipe**. Then, reformat the device using the **Disks** utility. diff --git a/docs/admin/maintenance/bios_server.rst b/docs/admin/maintenance/bios_server.rst index 96d47102d..c07302e96 100644 --- a/docs/admin/maintenance/bios_server.rst +++ b/docs/admin/maintenance/bios_server.rst @@ -10,7 +10,7 @@ instructions will vary depending on the manufacturer and model of your device. What you need ~~~~~~~~~~~~~ - #. A clean USB drive to download the BIOS file + #. A clean USB flash drive to download the BIOS file #. An Internet-connected workstation, such as the *Admin Workstation* #. A UPS (uninterrupted power supply), such as a surge-protecting power supply with a backup battery (This is not required, but strongly recommended) #. A keyboard and monitor @@ -20,10 +20,10 @@ Perform backups If you are updating the BIOS on an existing SecureDrop system, we recommend you :doc:`back up the *Application Server* ` before proceeding. -Prepare the USB drive -~~~~~~~~~~~~~~~~~~~~~~~ +Prepare the USB flash drive +~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Using the Disks application, delete existing partitions on the USB drive, if applicable, and reformat the entire device with one FAT32 partition. Note that you will lose access to all existing data on this USB drive. +Using the Disks application, delete existing partitions on the USB flash drive, if applicable, and reformat the entire device with one FAT32 partition. Note that you will lose access to all existing data on this USB flash drive. Download and verify appropriate BIOS files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -47,7 +47,7 @@ Intel provides an SHA1 checksum on the download page, while ASUS offers a SHA-25 |gtkhash tails| -Once you have verified the hash, copy the file to your USB device. +Once you have verified the hash, copy the file to your USB flash drive. .. _`provides a detailed explanation of this process`: https://tails.net/contribute/build/reproducible/#index3h1 @@ -59,8 +59,8 @@ Once you have verified the hash, copy the file to your USB device. Update the BIOS ~~~~~~~~~~~~~~~ -Power off the *Monitor Server*. We recommend plugging it into an uninterrupted power supply (UPS). Plug in the keyboard, monitor, and USB key, and power on the server, then press F7 when prompted to enter the BIOS Update tool. +Power off the *Monitor Server*. We recommend plugging it into an uninterrupted power supply (UPS). Plug in the keyboard, monitor, and USB flash drive, and power on the server, then press F7 when prompted to enter the BIOS Update tool. -Select the USB device and navigate to the file you have downloaded, then hit **Enter**. The update will take several minutes--do not interrupt the update or unplug the server during this time. +Select the USB flash drive and navigate to the file you have downloaded, then hit **Enter**. The update will take several minutes--do not interrupt the update or unplug the server during this time. Repeat these steps on the *Application Server*. diff --git a/docs/admin/maintenance/decommission.rst b/docs/admin/maintenance/decommission.rst index 0bae1fc63..1aa07df60 100644 --- a/docs/admin/maintenance/decommission.rst +++ b/docs/admin/maintenance/decommission.rst @@ -60,8 +60,8 @@ SecureDrop instance. You may want to direct them to other secure methods of contacting you. #. **Locate and create an inventory of all your hardware.** - *SecureDrop Workstation* laptops - - *Export Devices* (USBs, optical drives, or external drives) - - Backup USBs/other storage media + - *Export Devices* (USB flash drives, optical drives, or external drives) + - Backup USB flash drives/other storage media - Servers - Firewall @@ -71,13 +71,13 @@ SecureDrop instance. #. **Optional: Save a backup.** If you want to save a backup of the *Application Server* (for example, to reinstall SecureDrop in the future using the same onion address), follow our :doc:`backup guidelines `. Once the backup has been - created, you can move it onto an encrypted device, such as a LUKS-encrypted - drive. You will also require a backup of the *Submission Private Key* found on the + created, you can move it onto an encrypted drive, such as a LUKS-encrypted + USB flash drive. You will also require a backup of the *Submission Private Key* found on the *SecureDrop Workstation*. If you do not require a server backup, you may choose to download specific submissions, and store them in a secure manner (such as on an encrypted - drive). + USB flash drive). #. **Optional: Delete submissions on the server.** Log into the *Journalist Workstation* and delete all sources to take advantage of SecureDrop's secure deletion properties. Note that depending on the @@ -103,14 +103,14 @@ SecureDrop instance. #. **Disconnect the firewall and the servers from the internet.** Be sure to inform your network administrator of any changes to devices on your network. -#. **Wipe and destroy the USB drives.** - Because the USB drives used for SecureDrop are all LUKS-encrypted, - reformatting the USB drives (in particular, overwriting a portion of internal +#. **Wipe and destroy the USB flash drives.** + Because the USB flash drives used for SecureDrop are all LUKS-encrypted, + reformatting the USB flash drives (in particular, overwriting a portion of internal storage called the **LUKS header**) should be sufficient to make any existing data on those drives unrecoverable. - For example, you could use your *Template Tails USB* to launch Gnome Disks, - insert and identify the USB drive you are trying to erase, and reformat this + For example, you could use Tails to launch Gnome Disks, + insert and identify the USB flash drive you are trying to erase, and reformat this drive with a new, LUKS-encrypted partition, erasing the existing partition data. diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index ab44dd12b..554650001 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -1,14 +1,14 @@ -Rebuilding an *Admin Workstation* USB -------------------------------------- +Rebuilding an *Admin Workstation* +--------------------------------- -In cases where an *Admin Workstation* USB stick has been lost or destroyed, and no +In cases where an *Admin Workstation* USB flash drive has been lost or destroyed, and no backup exists, it is possible to rebuild one. In order to do so, you'll need - physical access to the SecureDrop servers - - 2 USB sticks: + - 2 USB flash drives: - - Tails Template USB - - 1 replacement *Admin Workstation* USB (USB3 and 16GB or better recommended) + - Tails Template drive + - 1 replacement *Admin Workstation* USB flash drive (USB3 and 16GB or better recommended) The process requires experience with the Linux command line and Tails, and can take up to 3 hours. If a backup of the SecureDrop *Application Server* is available, @@ -16,7 +16,7 @@ can take up to 3 hours. If a backup of the SecureDrop *Application Server* is av may be simpler. An outline of the steps involved in rebuilding an *Admin Workstation* is as follows: - #. Prepare the USB sticks. + #. Prepare the USB flash drives. #. (Optional) Boot the *Application* and *Monitor Server* in single user mode and reset the shell admin account password. #. Set up SSH access for the new *Admin Workstation*. @@ -34,10 +34,10 @@ may be simpler. An outline of the steps involved in rebuilding an process promptly, to avoid leaving the servers in an insecure state. -Step 1: Prepare the USB sticks -============================== +Step 1: Prepare the USB flash drives +==================================== -First, create a new Tails +First, create a new Tails drive and set up a persistent volume with a strong passphrase. Once persistence has been set up, start up the *Admin Workstation* with @@ -432,11 +432,11 @@ Step 8: Post-rebuild tasks ========================== .. important:: - Rebuilding an Admin Workstation makes changes that will prevent + Rebuilding an *Admin Workstation* makes changes that will prevent your other Tails workstations from connecting to your SecureDrop servers. - If you rebuild your Admin Workstation, you must also provision - all other existing Tails Workstation USBs with updated Tor + If you rebuild your *Admin Workstation*, you must also provision + all other existing Tails workstation drives updated Tor credentials (see below). We recommend completing the following tasks after the rebuild: @@ -448,7 +448,7 @@ We recommend completing the following tasks after the rebuild: - Back up your *Admin Workstation*. - Delete invalid admin accounts in the *Journalist Interface*. - Restrict SSH access to the *Application* and *Monitor Servers* to valid - *Admin Workstations*. If your new *Admin Workstation* USB stick + *Admin Workstations*. If your new *Admin Workstation* USB flash drive is the only one that should have SSH access to the servers, you can remove access for any previous *Admin Workstations* from the terminal, using the commands: @@ -462,7 +462,7 @@ We recommend completing the following tasks after the rebuild: sure not to remove the public key belonging to your new *Admin Workstation*. - :doc:`Back up the *Application Server* ` once SSH-over-Tor has been restored. Ensure that server and workstation backups happen regularly. - - Provision all other Tails Workstation USBs (*Journalist* and/or *Admin Workstations*) + - Provision all other Tails workstation drives (*Journalist* and/or *Admin Workstations*) with updated Tor credentials, so that they can access SecureDrop after this rebuild. You will need to copy the following file(s) to all other *Admin* and diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index 97a14b1f5..1a76f96d5 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -59,7 +59,7 @@ Qubes OS comes with the KeePassXC password manager preinstalled in the ``vault`` Configure SecureDrop Workstation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct *Journalist Interface* details and *Submission Private Key* from your Tails-based *Secure Viewing Station* and *Journalist Workstation* USB drives. +Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct *Journalist Interface* details and *Submission Private Key* from your Tails-based Secure Viewing Station and *Journalist Workstation* USB flash drives. Import *Submission Private Key* ------------------------------- @@ -68,13 +68,13 @@ In order to decrypt submissions, you will need a copy of the `*Submission Private Key* `_ from your SecureDrop instance's Secure Viewing Station. -To protect this key and preserve the air gap, you will need to connect the SVS USB to a Qubes VM with no network access, and copy it from there to ``dom0``. You cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below: +To protect this key and preserve the air gap, you will need to connect the Secure Viewing Station USB flash drive to a Qubes VM with no network access, and copy it from there to ``dom0``. You cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below: -- First, use the network manager widget in the upper right panel to disable your network connection. These instructions refer to the ``vault`` VM, which has no network access by default, but if the SVS USB is attached to another VM by mistake, this will offer some protection against exfiltration. +- First, use the network manager widget in the upper right panel to disable your network connection. These instructions refer to the ``vault`` VM, which has no network access by default, but if the Secure Viewing Station is attached to another VM by mistake, this will offer some protection against exfiltration. - Next, choose |qubes_menu| **▸ Apps ▸ vault ▸ Thunar File Manager** to open the file manager in the ``vault`` VM. -- Connect the SVS USB to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be three entries for the USB in the section titled **Data (Block) Devices**. Choose the *unlabeled* entry (*not* the one labeled "TAILS") annotated with a ``sys-usb`` text that ends with a number, like ``sys-usb:sdb2``. That is the persistent volume. +- Connect the Secure Viewing Station USB flash drive to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be three entries for the USB flash drive in the section titled **Data (Block) Devices**. Choose the *unlabeled* entry (*not* the one labeled "TAILS") annotated with a ``sys-usb`` text that ends with a number, like ``sys-usb:sdb2``. That is the persistent volume. |Attach TailsData| @@ -97,7 +97,7 @@ To protect this key and preserve the air gap, you will need to connect the SVS U .. note:: If there are multiple keys present on the device, ``sdw-admin --configure`` will print the fingerprints of those keys for you to select which to use as the *Submission Private Key*. You can open ``.onion/metadata`` in Tor Browser on another network-connected computer to check the correct key fingerprint used by your SecureDrop instance. -- Once the *Submission Private Key* import is complete, in the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the SVS USB. +- Once the *Submission Private Key* import is complete, in the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the Secure Viewing Station USB flash drive. - If you were prompted for a passphrase during import, you will now need to remove the passphrase on ``sd-journalist.sec``. See :doc:`/admin/migration/removing_gpg_passphrase`. @@ -113,9 +113,9 @@ Import *Journalist Interface* details SecureDrop Workstation connects to your SecureDrop instance's API via the *Journalist Interface*. In order to do so, it will need the *Journalist Interface* address and authentication info. As the clipboard from another VM cannot be copied into ``dom0`` directly, follow these steps to copy the file into place: -- Locate a Tails-based *Admin Workstation* or *Journalist Workstation* USB drive. Both hold the address and authentication info for the *Journalist Interface*; if you also want to copy the *Journalist*'s password database, use the *Journalist Workstation* USB drive. +- Locate a Tails-based *Admin Workstation* or *Journalist Workstation* USB flash drive. Both hold the address and authentication info for the *Journalist Interface*; if you also want to copy the *Journalist*'s password database, use the *Journalist Workstation* USB flash drive. -- Connect the USB drive to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be 3 listings for the USB in the widget: one for the base USB, one for the Tails partition on the USB, labeled ``Tails``, and a 3rd unlabeled listing, for the persistent volume. Choose the third listing. +- Connect the USB flash drive to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be 3 listings for the USB flash drive in the widget: one for the base drive, one for the Tails partition (labeled ``Tails``), and a 3rd unlabeled listing (for the persistent volume). Choose the third listing. - In the the ``vault`` file manager, select the persistent volume's listing in the lower left sidebar. It will be named ``N GB encrypted``, where N is the size of the persistent volume. Enter the persistent volume passphrase to unlock and mount it. When prompted, select the option to **Forget password immediately**. @@ -127,7 +127,7 @@ SecureDrop Workstation connects to your SecureDrop instance's API via the *Journ The command will print out the imported *Journalist Interface* details to confirm before proceeding. -- If you used a Tails-based *Admin Workstation* USB drive, or you don't intend to copy a password database to this workstation, safely disconnect the USB drive now. In the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the USB drive. +- If you used a Tails-based *Admin Workstation* drive, or you don't intend to copy a password database to this workstation, safely disconnect the USB flash drive now. In the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the USB flash drive. Copy SecureDrop login credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -144,11 +144,11 @@ In order to set up KeePassXC for easy use: .. important:: - The password database from the Tails-based *Admin Workstation* contains sensitive credentials not required by *Journalists*. Make sure to copy the credentials from the Tails-based *Journalist Workstation* USB. + The password database from the Tails-based *Admin Workstation* contains sensitive credentials not required by *Journalists*. Make sure to copy the credentials from the Tails-based *Journalist Workstation* USB flash drive. In order to copy a *Journalist*'s login credentials: -- If a Tails-based *Journalist Workstation* USB is not currently attached, connect it, attach it to the ``vault`` VM, open it in the file manager, and enter its encryption passphrase. +- If a Tails-based *Journalist Workstation* USB flash drive is not currently attached, connect it, attach it to the ``vault`` VM, open it in the file manager, and enter its encryption passphrase. - Locate the password database. It should be in the ``Persistent`` directory, and will typically be named ``keepassx.kdbx`` or similar. diff --git a/docs/admin/reference/offboarding.rst b/docs/admin/reference/offboarding.rst index 3cf4a3d09..fac95cff5 100644 --- a/docs/admin/reference/offboarding.rst +++ b/docs/admin/reference/offboarding.rst @@ -137,10 +137,10 @@ Therefore, we recommend rotating the *Submission Key* under the following circumstances: - If the user's departure was not amicable -- If the user is still holding on to any *Secure Viewing Station* USB drive or +- If the user is still holding on to any *Secure Viewing Station* USB flash drive or backup - If you have any other reason to believe the *Submission Private Key* or the - entire *Secure Viewing Station* USB may have been copied or compromised. + entire *Secure Viewing Station* USB flash drive may have been copied or compromised. You should still keep the old key on the *Secure Viewing Station*, or else you will not be able to decrypt submissions that were sent to you while that key @@ -148,7 +148,7 @@ was in effect. **You will need:** -- A *Transfer Device* (LUKS-encrypted USB drive) +- A *Transfer Device* (LUKS-encrypted USB flash drive) On the *Secure Viewing Station* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/admin/reference/securedrop_admin.rst b/docs/admin/reference/securedrop_admin.rst index ec6eb10d4..fba8f6d03 100644 --- a/docs/admin/reference/securedrop_admin.rst +++ b/docs/admin/reference/securedrop_admin.rst @@ -128,5 +128,5 @@ Configuration information is stored on the *Admin Workstation* under ~/.config/securedrop-admin/tor_v3_keys.json If *Onion Service* addresses are changed, the files listed above should be shared - securely with other administrators - preferably in person using an encrypted transfer USB, + securely with other administrators - preferably in person using an encrypted USB flash drive, as they can be used to access the servers directly via SSH over Tor. diff --git a/docs/admin/workstation_reference/bios_workstation.rst b/docs/admin/workstation_reference/bios_workstation.rst index f0e2c4cbe..98d3890e3 100644 --- a/docs/admin/workstation_reference/bios_workstation.rst +++ b/docs/admin/workstation_reference/bios_workstation.rst @@ -31,14 +31,14 @@ Once ``fwupd`` is installed, you can install available updates by running: Manual BIOS updates ------------------- -If your laptop is not supported by ``fwupd``, you will need to consult the manual for your specific make and model to determine how to manually apply a BIOS update. The process will likely include downloading an update file, verifying its integrity, copying it to a USB drive, and then accessing an update menu within the BIOS settings. If you have a Thinkpad, refer to the instructions for :ref:`thinkpad_bios`. +If your laptop is not supported by ``fwupd``, you will need to consult the manual for your specific make and model to determine how to manually apply a BIOS update. The process will likely include downloading an update file, verifying its integrity, copying it to a USB flash drive, and then accessing an update menu within the BIOS settings. If you have a Thinkpad, refer to the instructions for :ref:`thinkpad_bios`. .. _thinkpad_bios: Manual BIOS on Lenovo ThinkPad laptops ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The instructions below assume the use of a Linux-based computer for the creation of a BIOS upgrade USB. To upgrade the BIOS: +The instructions below assume the use of a Linux-based computer for the creation of a BIOS upgrade USB flash drive. To upgrade the BIOS: - Locate the ThinkPad's "machine type" in its BIOS setup program: @@ -50,9 +50,9 @@ The instructions below assume the use of a Linux-based computer for the creation - Download the file called either **BIOS Update (Bootable CD)** or **BIOS Update (Utility & Bootable CD)**. .. note:: - A Tails USB can be used for the verification and conversion process described below, but the Lenovo support site blocks requests over Tor, preventing the ISO download. To work around this, either: + A Tails drive can be used for the verification and conversion process described below, but the Lenovo support site blocks requests over Tor, preventing the ISO download. To work around this, either: - - download the BIOS ISO on a different computer and transfer it to Tails using a USB stick, or + - download the BIOS ISO on a different computer and transfer it to Tails using another USB flash drive, or - download the ISO in Tails using the Unsafe Browser as follows: - Start Tails with an administration password set and the Unsafe Browser enabled under "Additional Settings" on the Welcome Screen. @@ -95,9 +95,9 @@ The instructions below assume the use of a Linux-based computer for the creation sudo dnf install geteltorito genisoimage -- Plug in a USB and check its device name with the ``lsblk`` command - use the root device name below, not a partition (eg. ``/dev/sdc`` instead of ``/dev/sdc1``). +- Plug in a USB flash drive and check its device name with the ``lsblk`` command - use the root device name below, not a partition (eg. ``/dev/sdc`` instead of ``/dev/sdc1``). -- Write the BIOS update ISO to the USB using the following command: +- Write the BIOS update ISO to the USB flash drive using the following command: .. code-block:: sh @@ -109,10 +109,10 @@ The instructions below assume the use of a Linux-based computer for the creation The ``dd`` command will wipe data on the targeted device. Make sure that you use the correct device name. - Once complete, remove the USB. + Once complete, remove the USB flash drive. -- Plug the USB into the ThinkPad. +- Plug the USB flash drive into the ThinkPad. - Boot the ThinkPad and follow the prompts to enter its startup and boot menus, likely via the and keys, respectively. -- Follow the on-screen instructions to update the BIOS, including any mandatory reboots. Note that the instructions may refer to an update CD instead of your update USB. +- Follow the on-screen instructions to update the BIOS, including any mandatory reboots. Note that the instructions may refer to an update CD instead of your update USB flash drive. diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index bd1faf15b..0ff2318cc 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -20,6 +20,12 @@ the website that *Sources* access (the *Source Interface*) and the website that through an *Onion Service* because *Sources*, *Journalists*, and admins may only connect to this server using Tor. +Export Device +------------- + +The *Export Device* is the physical media (e.g., designated USB flash drive) used to transfer decrypted documents from the Secure Viewing Station to a journalist's everyday workstation, or to another computer for additional processing. + +Please see the detailed security recommendations for the choice, configuration and use of your *Export Device* in the :doc:`journalist` guide and in the :doc:`setup guide`. Journalist ---------- diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index 907a9d12e..564de1b9e 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -217,7 +217,7 @@ User Behavior and Hardware — SecureDrop Hardware Tampering or Failure in Opera Attacks on user behavior or hardware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - *Journalist* corporate workstation seized/tampered/compromised -- Transfer device seized/stolen/lost +- *Export Device** seized/stolen/lost - Admin *Two-Factor Authentication* device is lost or compromised - Admin SSH Key is compromised - SecureDrop installer misconfigures server/firewall hardware diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index 5213a6b4b..8324e473a 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -164,17 +164,17 @@ important protections that SecureDrop Workstation provides. On the other hand, v in Qubes OS or Xen Hypervisor may have a greater security impact than vulnerabilities in Tails, the operating system used on a Secure Viewing Station. -A typical SVS USB drive may contain documents from multiple *Sources* and always +A typical Secure Viewing Station USB flash drive may contain documents from multiple *Sources* and always contains the highly sensitive private key needed to decrypt them. An adversary who does manage to achieve a security compromise (e.g., through a vulnerability in a file viewer application) can access these other files, and may be able to exfiltrate them. In spite of the air-gap, this may be possible through physical channels used to transfer files -off the SVS (e.g., USB drives), or by motivating the *Journalist* to perform an +off the Secure Viewing Station (e.g., USB flash drives), or by motivating the *Journalist* to perform an unsafe action (e.g., `scanning a QR code `__). -Because the air-gapped SVS has no Internet access, updates can only be performed using -another computer and a USB drive. In practice, newsrooms may not update their SVS +Because the air-gapped Secure Viewing Station has no Internet access, updates can only be performed using +another computer and a USB flash drive. In practice, newsrooms may not update their Secure Viewing Station in a timely manner, which can significantly worsen its security posture. In SecureDrop Workstation, any document received via SecureDrop is opened in a diff --git a/docs/journalist/submissions.rst b/docs/journalist/submissions.rst index 66a3362e9..d64412a8c 100644 --- a/docs/journalist/submissions.rst +++ b/docs/journalist/submissions.rst @@ -79,16 +79,16 @@ Exporting submissions from the *Journalist Workstation* the risk of spreading malware to that computer. Make sure you understand the risks, and consider other methods to export the document (e.g., print). -If you must copy a file from your *Journalist Workstation* to another computer or device in digital form, our :doc:`recommendation ` is that journalists are provided with an d *Encrypted USB Drive*, drive which is encrypted using `VeraCrypt `__. +If you must copy a file from your *Journalist Workstation* to another computer or device in digital form, our :doc:`recommendation ` is that *Journalists* are provided with an *Export Device*, drive which is encrypted using LUKS or `VeraCrypt `__. These instructions assume that you are following the recommended workflow. If you are unsure, ask your administrator. -Exporting to an export USB -~~~~~~~~~~~~~~~~~~~~~~~~~~ +Exporting to an *Export Device* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Currently, a LUKS- or VeraCrypt-encrypted USB drive is required for exporting submissions. +Currently, a LUKS- or VeraCrypt-encrypted USB flash drive is required for exporting submissions. -1. Insert the USB drive and wait for the ``sd-devices`` VM to start. +1. Insert the USB flash drive and wait for the ``sd-devices`` VM to start. 2. If your drive is using VeraCrypt, you will need to unlock it manually: 1. Open the file menu by clicking on the Qubes Application menu |qubes_menu| (in the top left), @@ -96,7 +96,7 @@ Currently, a LUKS- or VeraCrypt-encrypted USB drive is required for exporting su 2. In the left sidebar, there should be an entry labeled **# GB Possibly Encrypted**, click it. |screenshot_veracrypt_sd_devices_files| - 3. You will be prompted for the password configured for this USB drive: + 3. You will be prompted for the password configured for this USB flash drive: - Volume type: leave both unchecked - PIM: leave empty @@ -108,12 +108,12 @@ Currently, a LUKS- or VeraCrypt-encrypted USB drive is required for exporting su 3. Back in your *Source*'s conversation, click **Export**. |screenshot_export_dialog| -4. If you have not already unlocked your USB drive, you will be prompted for the - password configured for this USB drive. +4. If you have not already unlocked your USB flash drive, you will be prompted for the + password configured for this USB flash drive. |screenshot_export_drive_passphrase| 5. Once you see a message informing you that the export was successfully completed, - you can safely unplug the USB drive. Alternatively, you can leave the drive + you can safely unplug the USB flash drive. Alternatively, you can leave the drive plugged in and export additional files. Decrypting and preparing to publish diff --git a/docs/source/before_you_submit.rst b/docs/source/before_you_submit.rst index 4dfff45f4..324a901e6 100644 --- a/docs/source/before_you_submit.rst +++ b/docs/source/before_you_submit.rst @@ -22,7 +22,7 @@ Those reasons and more are why using a dedicated computer for whistleblowing activities can be safer. To build an even stronger buffer for yourself, we recommend booting -the computer into the `Tails operating system`_ (typically from a USB stick). +the computer into the `Tails operating system`_ (typically from a USB flash drive). Tails is specifically designed to run on your computer without leaving traces of your activity. This may take some additional technical steps, but it is safer and fairly simple to get started. Even if you choose to use a dedicated computer From 7f8a9c3ad824e378b1e1d5db995306a3ce7e38c9 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Wed, 17 Jun 2026 06:02:24 -0400 Subject: [PATCH 14/24] Polish, small edits --- docs/appendices/glossary.rst | 7 ++----- docs/index.rst | 2 +- docs/introduction/getting_support.rst | 4 ++-- docs/introduction/securedrop_workstation.rst | 10 +++++++--- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index 0ff2318cc..b9aa639bc 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -40,7 +40,6 @@ being transferred to an Internet-connected computer. Instructions for using SecureDrop as a *Journalist* are available in our :doc:`Journalist Guide `. - Journalist Alert Public Key --------------------------- The *Journalist Alert Public Key* is used for encrypting the daily alert @@ -48,13 +47,13 @@ that notifies *Journalists* via encrypted email about whether or not there has b submission activity in the past 24 hours. The *Journalist* uses an associated private key to decrypt the alerts. -.. _glossary_landing_page: - Journalist Workstation ---------------------- .. TODO add SDW description of Journalist Workstation +.. _glossary_landing_page: + Landing Page ------------ The *Landing Page* is the public-facing webpage for a SecureDrop instance. This @@ -62,7 +61,6 @@ page is hosted as a standard (i.e. non-Tor) webpage on the news organization's site. It provides first instructions for potential *Sources* and includes the instance's :ref:`Source Interface ` address. - Monitor Server -------------- @@ -126,7 +124,6 @@ hosted on the *Application Server* and can only be accessed through Tor. Instructions for using the *Source Interface* are available in our :doc:`Source Guide `. - .. _submission-key: Submission Key diff --git a/docs/index.rst b/docs/index.rst index eff8e2f19..366d6f6fe 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -34,7 +34,7 @@ Get started .. note:: The terms in italics are terms of art specific to SecureDrop. The :doc:`Glossary ` provides more-precise definitions of these and other terms. SecureDrop is designed against - a comprehensive :doc:`/appendices/threat_model/threat_model`, and has a specific notion of the :doc:`roles ` that are involved in its operation. + a comprehensive :doc:`threat model `, and has a specific notion of the :doc:`roles ` that are involved in its operation. .. toctree:: :caption: Introduction diff --git a/docs/introduction/getting_support.rst b/docs/introduction/getting_support.rst index b6a31644e..0409db282 100644 --- a/docs/introduction/getting_support.rst +++ b/docs/introduction/getting_support.rst @@ -54,8 +54,8 @@ Freedom of the Press Foundation has several guides to using Signal: .. _community_support: -Community based support -^^^^^^^^^^^^^^^^^^^^^^^ +Community support +^^^^^^^^^^^^^^^^^ You can connect directly with the SecureDrop development team and the larger SecureDrop community using the diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index 8324e473a..537d9c3d8 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -8,7 +8,7 @@ A SecureDrop Workstation is a laptop used by a *Journalist* to connect to a Secu Encryption and decryption happen with one click using a network-isolated VM that holds the SecureDrop *Submission Private Key*. Submissions can be viewed securely on the same machine thanks to a `feature of Qubes`_ that creates temporary VMs in which to view untrusted content without exposing the rest of the system to that content. *Journalists* use the SecureDrop Workstation to decrypt, view, reply to, and export submissions. -A key feature of SecureDrop is that *journalists* can receive submissions from unknown *Sources* without risking the security of their own machines and networks. Previously, SecureDrop accomplished this by using a physical airgap (the Secure Viewing Station), meaning that to view submissions, *Journalists* would have to download them, transfer them to an encrypted USB drive, and physically take that drive to a separate, non-networked computer for decryption and viewing. SecureDrop Workstation combines all of those steps into one workflow on one machine: a Qubes computer that combines the *Journalist Workstation* and the Secure Viewing Station. +A key feature of SecureDrop is that *Journalists* can receive submissions from unknown *Sources* without risking the security of their own machines and networks. Previously, SecureDrop accomplished this by using a physical airgap (the Secure Viewing Station); to view submissions, *Journalists* would have to download them, transfer them to an encrypted USB flash drive, and physically take that drive to a separate, non-networked computer for decryption and viewing. SecureDrop Workstation combines all of those steps into one workflow on one machine: a Qubes computer that combines the *Journalist Workstation* and the Secure Viewing Station. .. | securedrop_workstation_workflow | @@ -33,6 +33,7 @@ For more about the security features of Qubes, see SecureDrop Workstation networking architecture ---------------------------------------------- + One key security feature of Qubes OS is that it enables users to configure the appropriate level of network access for each VM. For example, you could have a VM for password storage that has no network access, a work VM that is firewalled @@ -48,7 +49,7 @@ adversaries. Specifically, the following VMs have no network access: - ``sd-gpg``, which holds the *Submission Private Key* required to decrypt messages, replies, and documents. - ``sd-devices``, which passes exported documents through to USB devices like - printers and encrypted flash drives. + printers and encrypted USB flash drives. By design, the Qubes OS host domain, ``dom0``, also does not have Internet access. @@ -93,6 +94,7 @@ to discuss with us, please contact us via Signal, or send us a Why can't I save or print from the Viewer VM apps? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + When you view a file on SecureDrop Workstation, it is opened in a disposable VM that cannot access the network or any peripherals. The VM and all its data will be destroyed the moment you close the viewer application. @@ -105,12 +107,13 @@ You cannot print from the viewer application, because it does not have access to peripherals. This prevents malware from exfiltrating data (e.g., via attached USB devices), and from targeting hardware-level security vulnerabilities. -You *can* print files directly from SecureDrop Inbox by clicking "Print" +You *can* print files directly from SecureDrop Inbox by clicking **Print** for a downloaded file, which will pass the file through to your USB printer without opening it in an interactive viewer application. Why can't I copy and paste? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + You should be able to copy and paste *within* any VM on the system, e.g., from one application running in ``sd-app`` to another. @@ -158,6 +161,7 @@ For more about the security features of Qubes, see How does the security of this system compare to using an air-gapped Secure Viewing Station? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The air-gapped Secure Viewing Station that is part of a SecureDrop setup offers strong protections against exfiltration of submissions or encryption keys by adversaries. It lacks important protections that SecureDrop Workstation provides. On the other hand, vulnerabilities From 3c2e711ebd9bc3b3551f9cc73286a1f7f30f1f83 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Wed, 17 Jun 2026 06:04:33 -0400 Subject: [PATCH 15/24] A few more USB flash drive fixes --- docs/admin/installation/firewall_opnsense.rst | 3 +-- docs/admin/installation/firewall_pfsense.rst | 3 +-- docs/admin/migration/admin_migration.rst | 4 ++-- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/admin/installation/firewall_opnsense.rst b/docs/admin/installation/firewall_opnsense.rst index 4282ec68a..316626a20 100644 --- a/docs/admin/installation/firewall_opnsense.rst +++ b/docs/admin/installation/firewall_opnsense.rst @@ -62,8 +62,7 @@ network firewall. Connect to the OPNSense web GUI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -#. If you have not already done so, boot the *Admin Workstation* into - Tails using its designated USB flash drive. +#. If you have not already done so, boot the *Admin Workstation*. #. Connect the *Admin Workstation* to the LAN interface. You should see a popup notification in Tails that says "Connection Established". If you click diff --git a/docs/admin/installation/firewall_pfsense.rst b/docs/admin/installation/firewall_pfsense.rst index a72d13864..8e0f7fab8 100644 --- a/docs/admin/installation/firewall_pfsense.rst +++ b/docs/admin/installation/firewall_pfsense.rst @@ -71,8 +71,7 @@ network firewall. Connect to the pfSense web GUI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -#. If you have not already done so, boot the *Admin Workstation* into - Tails using its designated USB flash drive. +#. If you have not already done so, boot the *Admin Workstation*. #. Connect the *Admin Workstation* to the LAN[1] interface. You should see a popup notification in Tails that says "Connection Established". If you click diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index 1a76f96d5..5f1beebc3 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -166,8 +166,8 @@ In order to copy a *Journalist*'s login credentials: - Close the application window and shut down the ``vault`` VM (using the Qube widget in the upper right panel). At this time, you can also re-enable the network connection using the network manager widget. -Manually importing from Tails USB drives ------------------------------------------------------- +Manually importing from Tails drives +------------------------------------ Manually import *Submission Private Key* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From b5be01d3352d6d8be506c2d1dafdcbd429b3755e Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Wed, 17 Jun 2026 06:19:09 -0400 Subject: [PATCH 16/24] Clean up extra lines --- docs/admin/installation/apply_sdw.rst | 2 ++ docs/admin/installation/firewall_opnsense.rst | 10 +++++++++- docs/admin/installation/firewall_pfsense.rst | 1 - docs/admin/installation/hardware.rst | 7 +++++++ docs/admin/installation/intro_for_admins.rst | 3 ++- docs/admin/installation/passphrases.rst | 2 +- docs/admin/installation/prepare_servers.rst | 5 +++++ docs/admin/installation/troubleshoot_ossec.rst | 2 ++ docs/admin/maintenance/bios_server.rst | 1 + docs/admin/maintenance/kernel_troubleshooting.rst | 2 ++ docs/admin/maintenance/logging.rst | 1 + docs/admin/maintenance/rebuild_admin.rst | 5 +++++ docs/admin/maintenance/troubleshooting_connection.rst | 5 +++++ docs/admin/reference/securedrop_admin.rst | 1 + docs/admin/reference/ssh_access.rst | 1 + docs/admin/workstation_reference/backup.rst | 2 ++ docs/admin/workstation_reference/reviewing_logs.rst | 1 + .../workstation_reference/troubleshooting_updates.rst | 8 ++++++++ docs/appendices/glossary.rst | 8 ++++++++ docs/journalist/submissions.rst | 1 + docs/source/before_you_submit.rst | 1 + 21 files changed, 65 insertions(+), 4 deletions(-) diff --git a/docs/admin/installation/apply_sdw.rst b/docs/admin/installation/apply_sdw.rst index cb557d775..aaa047457 100644 --- a/docs/admin/installation/apply_sdw.rst +++ b/docs/admin/installation/apply_sdw.rst @@ -35,6 +35,7 @@ Once the update check is complete, the SecureDrop Client will launch. Log in usi Enable password copy and paste ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + If you use KeePassXC in the ``vault`` VM to manage login credentials, you can enable the user to copy passwords to SecureDrop Inbox using inter-VM copy and paste. While this is relatively safe, we recommend reviewing the section :doc:`Managing Clipboard Access ` of this guide, which goes into further detail on the security considerations for inter-VM copy and paste. The password manager runs in the networkless ``vault`` VM, and the SecureDrop Inbox application runs in the ``sd-app`` VM. To permit this one-directional clipboard use, issue the following command in ``dom0``: @@ -79,6 +80,7 @@ This is a transient error that may affect any of the SecureDrop Workstation VMs. "Temporary failure resolving" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Transient network issues may cause an installation to fail. To work around this, verify that you have a working Internet connection, and re-run the ``sdw-admin --apply`` command. .. |qubes_menu| image:: ../../images/qubes_menu.png diff --git a/docs/admin/installation/firewall_opnsense.rst b/docs/admin/installation/firewall_opnsense.rst index 316626a20..390cfa581 100644 --- a/docs/admin/installation/firewall_opnsense.rst +++ b/docs/admin/installation/firewall_opnsense.rst @@ -229,6 +229,7 @@ the Unsafe Browser and visit a host that you expect to be up (e.g. ``google.com` Update OPNSense to the latest version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + You should update OPNSense to the latest version available before proceeding with the rest of the configuration. Navigate to **Lobby ▸ Dashboard** and click **Click to check for updates** to start the process, and follow any on-screen instructions @@ -418,12 +419,14 @@ Finally, click **Save**. Configure the LAN, WAN, OPT1, and OPT2 interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + OPT1 and OPT2 need to be configured to use the subnets defined for the *Application* and *Monitor Servers*, and some additional configuration is required for the LAN and WAN interfaces, that is not covered by the Setup Wizard. Configure the WAN interface ''''''''''''''''''''''''''''' + First, navigate to **Interfaces ▸ [WAN]**. In the **Basic configuration** section, check the checkbox labeled **Prevent interface removal**. @@ -435,6 +438,7 @@ Scroll down and click **Save**, then click **Apply changes** when prompted. Configure the LAN interface ''''''''''''''''''''''''''''' + Next, navigate to **Interfaces ▸ [LAN]**. In the **Basic configuration** section, check the checkbox labeled **Prevent interface removal**. @@ -446,6 +450,7 @@ Scroll down and click **Save**, then click **Apply changes** when prompted. Configure the OPT1 interface ''''''''''''''''''''''''''''' + Next, navigate to **Interfaces ▸ [OPT1]**. In the **Basic configuration** section, check the checkboxes labeled **Enable interface** and **Prevent interface removal**. @@ -461,6 +466,7 @@ Click **Save**, then click **Apply changes** when prompted. Configure the OPT2 interface ''''''''''''''''''''''''''''' + Finally, navigate to **Interfaces ▸ [OPT2]**. In the **Basic configuration** section, check the checkboxes labeled **Enable interface** and **Prevent interface removal**. @@ -538,9 +544,9 @@ Configure firewall rules Next, configure firewall rules for each interface. - Configure firewall rules on LAN ''''''''''''''''''''''''''''''' + First, navigate to **Firewall ▸ Rules ▸ LAN**. The LAN interface should have one automatically-generated anti-lockout rule in place, in addition to two default-allow rules. The default-allow rules should be removed once the SecureDrop-specific rules below @@ -591,6 +597,7 @@ Settings ▸ Advanced**. Scroll down to the **Miscellaneous** section and check Configure firewall rules on OPT1 '''''''''''''''''''''''''''''''' + Next, navigate to **Firewall ▸ Rules ▸ OPT1**. There should be no rules defined on this interface. Add the rules below: @@ -669,6 +676,7 @@ Once they match the screenshot below, click **Apply Changes**. Configure firewall rules on OPT2 '''''''''''''''''''''''''''''''' + Next, navigate to **Firewall ▸ Rules ▸ OPT2**. Similarly to OPT1, there should be no rules defined on this interface. Add the rules below until the rules in the Web GUI match those in the screenshot: diff --git a/docs/admin/installation/firewall_pfsense.rst b/docs/admin/installation/firewall_pfsense.rst index 8e0f7fab8..622a014f5 100644 --- a/docs/admin/installation/firewall_pfsense.rst +++ b/docs/admin/installation/firewall_pfsense.rst @@ -254,7 +254,6 @@ interface**, scroll down, and click the **Save** button. Assign a static IP address to the *Admin Workstation* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Now you will need to assign a static IP to the *Admin Workstation*. You can easily check your current IP address by *clicking* the top right of diff --git a/docs/admin/installation/hardware.rst b/docs/admin/installation/hardware.rst index 2e2aecd1f..7b2cfa7ab 100644 --- a/docs/admin/installation/hardware.rst +++ b/docs/admin/installation/hardware.rst @@ -154,6 +154,7 @@ our support or consent. 14th-gen NUC ~~~~~~~~~~~~ + We have tested and can recommend the `ASUS NUC14RVH `__. It provides both 22x80 and 22x42 M.2 ports for NVMe SSD storage, as well as a 2.5 inch drive bay for a SATA hard drive or SSD (if using this slot, we recommend choosing an SSD). @@ -174,6 +175,7 @@ the picture. Cover the free ends with electrical tape after disconnecting them. 13th-gen NUC ~~~~~~~~~~~~ + We have tested and can recommend the `ASUS NUC13ANHi5 `__. It provides two M.2 SSD storage options: a 22x80 port for an NVMe drive, and a 22x42 port for a SATA drive. It also has a 2.5 inch drive bay for a SATA hard @@ -195,6 +197,7 @@ after disconnecting them. 12th-gen NUC ~~~~~~~~~~~~ + We have tested and can recommend the `NUC12WSKi5 `__. It provides two M.2 SSD storage options: a 22x80 port for an NVMe drive, and a 22x42 port for a SATA drive. @@ -213,6 +216,7 @@ after disconnecting them. 11th-gen NUC ~~~~~~~~~~~~ + We have tested and can recommend the `Intel NUC11PAHi3 `__. It provides two storage options: M.2 SSD storage and a 2.5" secondary storage option (SSD or HDD). @@ -344,6 +348,7 @@ to :doc:`configure an existing hardware firewall `. Two-factor device ^^^^^^^^^^^^^^^^^ + *Two-Factor Authentication* is used when connecting to different parts of the SecureDrop system. Each admin and each *Journalist* needs a two-factor device. We currently support two options for *Two-Factor Authentication*: @@ -358,6 +363,7 @@ device. We currently support two options for *Two-Factor Authentication*: USB flash drives ^^^^^^^^^^^^^^^^ + *Journalists* need physical media (known as the *Export Device*) to copy submissions to their everyday workstation. @@ -396,6 +402,7 @@ label (e.g. with tape, printed sticker or a label from a labelmaker). Monitor, keyboard, mouse ^^^^^^^^^^^^^^^^^^^^^^^^ + You will need these to do the initial installation of Ubuntu on the *Application* and *Monitor Servers*. diff --git a/docs/admin/installation/intro_for_admins.rst b/docs/admin/installation/intro_for_admins.rst index effca959f..718824815 100644 --- a/docs/admin/installation/intro_for_admins.rst +++ b/docs/admin/installation/intro_for_admins.rst @@ -50,6 +50,7 @@ As a SecureDrop administrator, it is your responsibility to: Responsibilities of the SecureDrop team --------------------------------------- + The SecureDrop team employed by Freedom of the Press Foundation (FPF) and the SecureDrop community maintain and develop the SecureDrop software, which is offered as open source software, free of charge, and at your own risk. @@ -123,7 +124,6 @@ Keeping the system updated The admin is responsible for ensuring that updates are applied to SecureDrop. Where possible, updates are applied automatically, but some update operations require manual intervention. - Updates: servers ^^^^^^^^^^^^^^^^ @@ -175,6 +175,7 @@ SecureDrop uses OSSEC to monitor the servers for unusual activity caused by syst Monitoring SecureDrop-related communications -------------------------------------------- + Release announcements and security advisories are posted to the `SecureDrop blog `__, which is also available as an `RSS feed `__. You can also follow us on our social media accounts (`Twitter `__ and `Mastodon `__). We strongly recommend :doc:`joining the SecureDrop support portal `. As a member of the support portal, you will receive email notifications related to all major announcements, and you can open tickets in case of technical issues. Membership is free of charge. diff --git a/docs/admin/installation/passphrases.rst b/docs/admin/installation/passphrases.rst index 1542f46c0..f20b65158 100644 --- a/docs/admin/installation/passphrases.rst +++ b/docs/admin/installation/passphrases.rst @@ -48,7 +48,7 @@ The *Journalist* will also need to have a two-factor authenticator, such as an A - The secret code for the *Journalist*'s *Two-Factor Authentication*. *Export Device* -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~ We recommend using encrypted USB flash drives for transferring files off of the *Journalist Workstation*. diff --git a/docs/admin/installation/prepare_servers.rst b/docs/admin/installation/prepare_servers.rst index 1d08d9789..d0045d975 100644 --- a/docs/admin/installation/prepare_servers.rst +++ b/docs/admin/installation/prepare_servers.rst @@ -6,6 +6,7 @@ Pre-install steps Upgrade the server BIOS ~~~~~~~~~~~~~~~~~~~~~~~ + Before beginning the installation process, you should upgrade your servers' BIOS to the most recent stable version available. This process will differ for each server make/model - if you are using one of the recommended NUC models, you can @@ -13,6 +14,7 @@ find instructions in :doc:`../maintenance/bios_server`. Update BIOS settings ~~~~~~~~~~~~~~~~~~~~ + Once the BIOS has been updated, you should boot into it again to disable any unused hardware, including: @@ -130,6 +132,7 @@ following output in your terminal. :: Create the Ubuntu installation media ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The `Ubuntu website `__ has detailed instructions on how to to create a bootable Ubuntu Server USB flash drive. @@ -286,6 +289,7 @@ Select **Done** and press **Enter** to proceed. Decline upgrade to Ubuntu Pro ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The SecureDrop servers should not be registered with Ubuntu Advantage. On the **Upgrade to Ubuntu Pro** screen, make sure **Skip for now** is selected, then choose **Continue**. @@ -302,6 +306,7 @@ to proceed. Finish the installation ~~~~~~~~~~~~~~~~~~~~~~~ + On the **Featured server snaps** screen, ensure that no snaps are selected and choose **Done** to start the server installation process. diff --git a/docs/admin/installation/troubleshoot_ossec.rst b/docs/admin/installation/troubleshoot_ossec.rst index 99e2e9c4b..842088a6c 100644 --- a/docs/admin/installation/troubleshoot_ossec.rst +++ b/docs/admin/installation/troubleshoot_ossec.rst @@ -72,6 +72,7 @@ Other log files that may contain useful information: Not receiving emails ~~~~~~~~~~~~~~~~~~~~ + Some mail servers require that the sending email address match the account that authenticated to send mail. By default the *Monitor Server* will use ``ossec@ossec.server`` for the from line, but your mail provider may not support @@ -84,6 +85,7 @@ then run the playbook again. Message failed to encrypt ~~~~~~~~~~~~~~~~~~~~~~~~~ + If OSSEC cannot encrypt the alert to the *OSSEC Alert Public Key* for the Admin email address (configured as ``ossec_alert_email`` in ``~/.config/securedrop-admin/site-specific``), the system will send a static message instead of the scheduled alert: diff --git a/docs/admin/maintenance/bios_server.rst b/docs/admin/maintenance/bios_server.rst index c07302e96..ff458e0ce 100644 --- a/docs/admin/maintenance/bios_server.rst +++ b/docs/admin/maintenance/bios_server.rst @@ -30,6 +30,7 @@ Download and verify appropriate BIOS files For Intel and ASUS NUC devices `````````````````````````````` + Check the make and model of your servers, and follow the F7 BIOS update method in the documentation. The exact instructions vary by model: - `BIOS update instructions for Intel NUC with Intel Visual BIOS `__ diff --git a/docs/admin/maintenance/kernel_troubleshooting.rst b/docs/admin/maintenance/kernel_troubleshooting.rst index 6760fe54d..959317e49 100644 --- a/docs/admin/maintenance/kernel_troubleshooting.rst +++ b/docs/admin/maintenance/kernel_troubleshooting.rst @@ -1,5 +1,6 @@ Troubleshooting kernel updates ============================== + Kernel updates address known bugs and security vulnerabilities in the Linux kernel. They may be installed automatically on your *Application* and *Monitor Servers* as part of a SecureDrop release. All kernel updates are tested extensively @@ -196,6 +197,7 @@ resolve compatibility issues. Test and enable an updated kernel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + If you have changed your default kernel, we urge you to test an updated kernel as soon as it becomes available in a future SecureDrop release. Note that an update may be enforced as part of a release to protect the security of your diff --git a/docs/admin/maintenance/logging.rst b/docs/admin/maintenance/logging.rst index cc4cdf9cc..0d5dec9f4 100644 --- a/docs/admin/maintenance/logging.rst +++ b/docs/admin/maintenance/logging.rst @@ -1,5 +1,6 @@ Investigating logs ================== + When troubleshooting issues with your SecureDrop instance, be sure to examine all relevant log files on both servers. To work with logs, it is helpful to be familiar with commands like ``less``, ``tail`` and ``grep``; to inspect older, diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index 554650001..64e83aed2 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -59,6 +59,7 @@ the default location. When prompted for a passphrase, it's safe to leave it blan Step 2: (Optional) Boot the servers in single-user mode ======================================================= + If you do not have the original password for the shell admin account on the *Application* and *Monitor Servers*, you'll need to reset the password on each server by booting in single user mode. In order to do so, you'll need physical @@ -74,6 +75,7 @@ by a space, and press **F10** to boot in single user mode. Reset the SecureDrop admin user's password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Once the root prompt appears, you'll need to reset the password for the SecureDrop admin user. By default this user is named `sdadmin` and has UID 1000. However it may have been named differently during the installation of your @@ -98,6 +100,7 @@ password as for the *Monitor Server* - this is required in order for the Step 3: Set up *Admin Workstation* access ========================================= + Next, you'll configure the servers to allow temporary SSH access from the new *Admin Workstation*. @@ -295,6 +298,7 @@ can obtain via the command: Retrieve OSSEC alert configuration details ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + You'll also need to retrieve the following configuration information: - SMTP server @@ -321,6 +325,7 @@ In this example, ``smtp.gmail.com`` is the SMTP server, ``587`` is the SMTP port (Optional) Retrieve HTTPS certificate files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + If your *Source Interface* was configured to use HTTPS, you will need to copy three related files from the *Application Server* to the *Admin Workstation*. diff --git a/docs/admin/maintenance/troubleshooting_connection.rst b/docs/admin/maintenance/troubleshooting_connection.rst index 41f559315..159807e22 100644 --- a/docs/admin/maintenance/troubleshooting_connection.rst +++ b/docs/admin/maintenance/troubleshooting_connection.rst @@ -65,6 +65,7 @@ next step. Step 2: Troubleshooting login issues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Issues logging in may not be network-related. If you are experiencing connectivity issues before or after logging in, you can skip ahead to the next section. @@ -92,6 +93,7 @@ in, proceed to the next step. Step 3: Verify that all required VMs are running ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The following VMs must be running for all actions requiring network connectivity to work (e.g., logging in, checking for messages, downloading documents, replying to sources, starring sources, deleting sources): @@ -129,6 +131,7 @@ If all required VMs are running, proceed to the next step. Step 4: Verify that required VMs have connectivity ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In step 1, you have already verified that you can connect to the Internet using ``sys-net``. Now, test whether ``sys-firewall`` and ``sd-proxy`` are working. @@ -149,6 +152,7 @@ If the output does not include the text "Congratulations", proceed to the next s Step 5: Restart ``sd-proxy`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Restart ``sd-proxy`` to attempt to restore connectivity: 1. Exit SecureDrop Inbox if it is running. @@ -181,6 +185,7 @@ If this does not resolve the issue, please contact us for assistance. Examining logs ~~~~~~~~~~~~~~ + You may wish to examine system logs on your own, or with our guidance. You can examine consolidated syslogs from all SecureDrop-related VMs in the ``sd-log`` VM. They can be found in the default user's ``~/QubesIncomingLogs`` directory. diff --git a/docs/admin/reference/securedrop_admin.rst b/docs/admin/reference/securedrop_admin.rst index fba8f6d03..92fc39a70 100644 --- a/docs/admin/reference/securedrop_admin.rst +++ b/docs/admin/reference/securedrop_admin.rst @@ -7,6 +7,7 @@ The ``securedrop-admin`` Utility Using ``securedrop-admin`` -------------------------- + The ``securedrop-admin`` command-line utility is used to perform common server administration tasks, including: diff --git a/docs/admin/reference/ssh_access.rst b/docs/admin/reference/ssh_access.rst index bf881a945..38737e809 100644 --- a/docs/admin/reference/ssh_access.rst +++ b/docs/admin/reference/ssh_access.rst @@ -3,6 +3,7 @@ Logging in via SSH SSH over tor ------------ + By default, SSH access to SecureDrop servers is routed through the Tor network, allowing you to access the servers from anywhere in the world where you have a stable internet connection and diff --git a/docs/admin/workstation_reference/backup.rst b/docs/admin/workstation_reference/backup.rst index dea02d6e7..5e66fb21d 100644 --- a/docs/admin/workstation_reference/backup.rst +++ b/docs/admin/workstation_reference/backup.rst @@ -120,6 +120,7 @@ updated base templates. Rename or delete redundant AppVMs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + By default, Qubes OS will create the AppVMs ``personal``, ``work``, ``untrusted`` and ``vault`` as part of the installation process. Rename or delete any of these newly created AppVMs whose names conflict with the AppVMs you @@ -131,6 +132,7 @@ Example: If you wish to restore the ``vault`` VM, rename or delete the existing Restore backup (SecureDrop Workstation components) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Plug in your backup medium and unlock it as during the backup. By default on a new system, your peripheral devices will be managed by a VM called ``sys-usb``. diff --git a/docs/admin/workstation_reference/reviewing_logs.rst b/docs/admin/workstation_reference/reviewing_logs.rst index e45bc8e07..ea3082072 100644 --- a/docs/admin/workstation_reference/reviewing_logs.rst +++ b/docs/admin/workstation_reference/reviewing_logs.rst @@ -1,5 +1,6 @@ Reviewing and exporting logs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The *Journalist Workstation* aggregates system logs from all its VMs in the ``sd-log`` VM, in the folder ``~/QubesIncomingLogs``, with one subfolder for each VM. You can inspect these logs directly in the ``sd-log`` VM, or you can copy them to another VM, e.g., for purposes of sharing logs with the SecureDrop development team. Please note that while the logs do not include original filenames or message contents, they do contain sensitive information, e.g.: diff --git a/docs/admin/workstation_reference/troubleshooting_updates.rst b/docs/admin/workstation_reference/troubleshooting_updates.rst index 9332d61f5..673a1f564 100644 --- a/docs/admin/workstation_reference/troubleshooting_updates.rst +++ b/docs/admin/workstation_reference/troubleshooting_updates.rst @@ -26,6 +26,7 @@ update issues. Step 1: Locate the updater log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The preflight updater runs in the ``dom0`` domain. It writes its log to ``~/.securedrop_updater/logs/updater.log``. Log files are rotated hourly; if you have started the updater @@ -56,6 +57,7 @@ In order to locate a previous log file in the same directory: Step 2: Identify the cause(s) of the error ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + If the updater has run to completion, you should see a result line in the log file that looks similar to the following: @@ -78,12 +80,14 @@ of the individual steps that have failed, other than ``recommended_action``. Step 3: Resolve the issue(s) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The resolution path will depend on which step(s) failed. Note that ``dom0`` and ``apply_dom0`` are separate steps. ``dom0`` update failures ^^^^^^^^^^^^^^^^^^^^^^^^ + 1. Open a terminal in ``dom0`` via |qubes_menu| **▸ Gear Icon (left-hand side) ▸ Other Tools ▸ Xfce Terminal**. 2. Perform an interactive ``dom0`` update by running the @@ -259,6 +263,7 @@ key and remove the expired one: ``sd-*-template`` update failures ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + 1. Click the Qubes menu and open a terminal in the impacted template. For example, if ``sd-small-bookworm-template`` failed to update, select its entry in the Qubes menu and click @@ -282,6 +287,7 @@ key and remove the expired one: ``fedora-42-xfce`` update failures ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + 1. Launch the Qubes GUI Updater from the top righthand tray icon. Ensure the ``fedora-42-xfce`` template is selected. @@ -294,6 +300,7 @@ key and remove the expired one: ``apply_dom0`` update failures ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + The ``apply_dom0`` step applies any necessary configuration changes to the SecureDrop Workstation. If this step fails, this may indicate a misconfiguration, or it could be a result @@ -324,6 +331,7 @@ If this does not resolve the issue: Step 4: Restart the updater ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Click the SecureDrop Inbox desktop icon to restart the updater. If all issues have been resolved, the updater should run to completion and display a success message. If the issue diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index b9aa639bc..5316336e6 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -14,6 +14,7 @@ Admin Workstation Application Server ------------------ + The *Application Server* runs the SecureDrop server application. This server hosts both the website that *Sources* access (the *Source Interface*) and the website that *Journalists* access (the *Journalist Interface*). Both are published @@ -29,6 +30,7 @@ Please see the detailed security recommendations for the choice, configuration a Journalist ---------- + The *Journalist* uses SecureDrop to communicate with and download documents submitted by the *Source*. Journalists do this by using the *SecureDrop Workstation*. @@ -42,6 +44,7 @@ Instructions for using SecureDrop as a *Journalist* are available in our Journalist Alert Public Key --------------------------- + The *Journalist Alert Public Key* is used for encrypting the daily alert that notifies *Journalists* via encrypted email about whether or not there has been submission activity in the past 24 hours. The *Journalist* uses an associated @@ -100,12 +103,14 @@ Only v3 *Onion Services* are supported by SecureDrop. OSSEC Alert Public Key ---------------------- + The *OSSEC Alert Public Key* is the GPG key that OSSEC will encrypt alerts to. The associated private key is used by the admin to access encrypted OSSEC alerts from the *Monitor Server*. Source ------ + The *Source* is the person who submits documents to SecureDrop and may use SecureDrop to communicate with a *Journalist*. A *Source* will always access SecureDrop through the *Source Interface* and must do so using Tor. @@ -117,6 +122,7 @@ Instructions for using SecureDrop as a *Source* are available in our Source Interface ---------------- + The *Source Interface* is the website that sources will access to submit documents and communicate with *Journalists*. This site is hosted on the *Application Server* and can only be accessed through Tor. @@ -128,6 +134,7 @@ Instructions for using the *Source Interface* are available in our :doc:`Source Submission Key -------------- + The *Submission Key* is the GPG keypair used to encrypt and decrypt documents and messages sent to your SecureDrop. Because the public key and private key must be treated very differently, we sometimes refer to them explicitly as the @@ -143,6 +150,7 @@ and on offline backup storage. Two-Factor Authentication ------------------------- + There are several places in the SecureDrop architecture where two-factor authentication is used to protect access to sensitive information or systems. These instances use the standard TOTP and/or HOTP algorithms, diff --git a/docs/journalist/submissions.rst b/docs/journalist/submissions.rst index d64412a8c..212dd15a0 100644 --- a/docs/journalist/submissions.rst +++ b/docs/journalist/submissions.rst @@ -160,6 +160,7 @@ Safely working with submissions outside the *Journalist Workstation* Risks from malware ~~~~~~~~~~~~~~~~~~ + SecureDrop does not scan for or remove malware in submissions you receive. There are important steps you can take to protect yourself: diff --git a/docs/source/before_you_submit.rst b/docs/source/before_you_submit.rst index 324a901e6..c1a5c8a07 100644 --- a/docs/source/before_you_submit.rst +++ b/docs/source/before_you_submit.rst @@ -83,6 +83,7 @@ making these decisions. Choose who to submit to ----------------------- + We recommend conducting all research related to your submission in Tor Browser. If you are unsure whether you are using Tor, you can visit the address https://check.torproject.org. From 12267dab8b2cc748aacf38373e97f9bda89bd3a6 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Wed, 17 Jun 2026 06:19:38 -0400 Subject: [PATCH 17/24] Typo fix --- docs/admin/installation/passphrases.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/admin/installation/passphrases.rst b/docs/admin/installation/passphrases.rst index f20b65158..6fcb314d9 100644 --- a/docs/admin/installation/passphrases.rst +++ b/docs/admin/installation/passphrases.rst @@ -5,8 +5,8 @@ Each individual with a role (admin or *Journalist*) at a given SecureDrop instan Ideally, each admin and *Journalist* would only have to remember the passphrases to unlock the encrypted storage on their *Journalist Workstation* laptop. -Admininistrator ---------------- +Administrator +------------- The administrator will be using an *Admin Workstation* configured to connect to the *Application Server* and the *Monitor Server* using Tor and SSH. The tasks performed by the admin will require the following set of credentials and passphrases: From 58c6a7911496f47648d0d75db330b61de2a18cbc Mon Sep 17 00:00:00 2001 From: Martin <166127544+ChumOfChance@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:41:47 -0400 Subject: [PATCH 18/24] Update docs/includes/backup-and-update-reminders.txt Tails should be capitalized Co-authored-by: Nathan Dyer --- docs/includes/backup-and-update-reminders.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/includes/backup-and-update-reminders.txt b/docs/includes/backup-and-update-reminders.txt index 88e798b97..706f978be 100644 --- a/docs/includes/backup-and-update-reminders.txt +++ b/docs/includes/backup-and-update-reminders.txt @@ -1,4 +1,4 @@ -Back up the tails workstations +Back up the Tails workstations ------------------------------- USB flash drives degrade over time and vary in quality. To ensure continued access to SecureDrop by administrators and *Journalists*, we recommend backing up From 250686eb8a511db46aeb2ecfffdfed03a84aaad5 Mon Sep 17 00:00:00 2001 From: Martin <166127544+ChumOfChance@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:44:00 -0400 Subject: [PATCH 19/24] Update docs/admin/reference/ssh_access.rst Tor capitalized Co-authored-by: Nathan Dyer --- docs/admin/reference/ssh_access.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/reference/ssh_access.rst b/docs/admin/reference/ssh_access.rst index 38737e809..8e98edc73 100644 --- a/docs/admin/reference/ssh_access.rst +++ b/docs/admin/reference/ssh_access.rst @@ -1,7 +1,7 @@ Logging in via SSH ================== -SSH over tor +SSH over Tor ------------ By default, SSH access to SecureDrop servers is routed through the Tor From 268b2a6e717f7375fd917c4a66e1efad18e367af Mon Sep 17 00:00:00 2001 From: Martin <166127544+ChumOfChance@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:44:23 -0400 Subject: [PATCH 20/24] Update docs/admin/installation/create_admin_account.rst Co-authored-by: Nathan Dyer --- docs/admin/installation/create_admin_account.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/installation/create_admin_account.rst b/docs/admin/installation/create_admin_account.rst index 9834bb634..ce22c3f98 100644 --- a/docs/admin/installation/create_admin_account.rst +++ b/docs/admin/installation/create_admin_account.rst @@ -30,7 +30,7 @@ running a command on the *Application Server*. After that, the admin can create .. _Create Admin CLI: To create an admin account via the command line, -:doc:`SSH to the*Application Server* <../installation/test_the_installation>`, +:doc:`SSH to the *Application Server* <../installation/test_the_installation>`, then: .. code:: sh From 2c15af6c3a0c6c1063b809c97ec47f73237d1c8f Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Thu, 18 Jun 2026 08:23:23 -0400 Subject: [PATCH 21/24] Clean up SVS and some Admin/Journalist workstation references --- docs/admin/deployment/https_source_interface.rst | 4 ++-- docs/admin/installation/installation_overview.rst | 2 +- docs/admin/installation/provisioning_usb.rst | 11 +++++------ docs/admin/migration/admin_migration.rst | 12 ++++++------ docs/admin/reference/offboarding.rst | 2 ++ docs/journalist/submissions.rst | 5 ++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index 37bd429ec..aa4e83713 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -3,8 +3,8 @@ HTTPS on the *Source Interface* .. TODO update this page for Qubes -The SecureDrop *Source Interface* is served as an *Onion Service* with an ``.onion`` -address, requiring Tor Browser to access it. While *Onion Services* provide +The SecureDrop *Source Interface* is served as an *Onion Service* with an onion +address ending in ".onion", requiring Tor Browser to access it. While *Onion Services* provide end-to-end encryption by default, as well as strong anonymity, there are several reasons why you might want to consider deploying an additional layer of encryption and authentication via HTTPS: diff --git a/docs/admin/installation/installation_overview.rst b/docs/admin/installation/installation_overview.rst index 0f2dc66cb..ccc8900dd 100644 --- a/docs/admin/installation/installation_overview.rst +++ b/docs/admin/installation/installation_overview.rst @@ -4,7 +4,7 @@ Installation overview Migrating from a Tails-based SecureDrop --------------------------------------- -If you are migrating from an older Tails-based SecureDrop, using the separate *Secure Viewing Station*, *Journalist Workstation* and *Admin Workstation* USB flash drives, then skip to the :ref:`Migration Overview`. +If you are migrating from an older SecureDrop, using the separate Tails-based Secure Viewing Station, journalist workstation* and admin workstation USB flash drives, then skip to the :ref:`Migration Overview`. Setting expectations -------------------- diff --git a/docs/admin/installation/provisioning_usb.rst b/docs/admin/installation/provisioning_usb.rst index de58d307a..cba878a7e 100644 --- a/docs/admin/installation/provisioning_usb.rst +++ b/docs/admin/installation/provisioning_usb.rst @@ -2,7 +2,7 @@ Provisioning USB *Export Devices* ================================= The *Journalist Workstation* supports the export of submissions from the SecureDrop Inbox -to a LUKS- or VeraCrypt-encrypted USB *Export Device*. +to a LUKS- or VeraCrypt-encrypted USB flash drive, referred to as an *Export Device*. Creating a LUKS-encrypted drive ------------------------------- @@ -11,12 +11,11 @@ Creating a LUKS-encrypted drive systems such as Tails. For compatibility with macOS and Windows systems, use VeraCrypt. In order to provision a LUKS-encrypted *Export Device* for use a *Journalist Workstation*, -you will need a fresh USB flash drive and a Linux-based system. Tails is recommended - -if available, the *Secure Viewing Station* can be used, adding the extra benefit -of its airgap: +you will need a fresh USB flash drive and a SecureDrop Workstation. -- First, boot into the *Secure Viewing Station*, without unlocking its - persistent volume or setting an admin password. +.. TODO update these instructions for provisioning Export Devices on Qubes + +- First, boot the SecureDrop Workstation. - Next, open the Disks utility: **Applications ▸ Utilities ▸ Disks**. - Connect the fresh USB flash drive and select it in the list in the left-hand panel. diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index 5f1beebc3..89637cf75 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -47,7 +47,7 @@ Install tasks: Import KeePassXC database ~~~~~~~~~~~~~~~~~~~~~~~~~ -If you have a KeePassXC database on your Tails-based *Admin Workstation*, you should copy it to the ``vault`` VM on the new Qubes-based *Admin-Workstation*. +If you have a KeePassXC database on your Tails-based Admin Workstation USB flash drive, you should copy it to the ``vault`` VM on the new Qubes-based *Admin-Workstation*. Qubes OS comes with the KeePassXC password manager preinstalled in the ``vault`` VM. @@ -59,7 +59,7 @@ Qubes OS comes with the KeePassXC password manager preinstalled in the ``vault`` Configure SecureDrop Workstation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct *Journalist Interface* details and *Submission Private Key* from your Tails-based Secure Viewing Station and *Journalist Workstation* USB flash drives. +Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct SecureDrop server details and *Submission Private Key* from your Tails-based Journalist Workstation and Secure Viewing Station USB flash drives. Import *Submission Private Key* ------------------------------- @@ -78,7 +78,7 @@ To protect this key and preserve the air gap, you will need to connect the Secur |Attach TailsData| -- In the the ``vault`` file manager, select the persistent volume's listing in the lower left sidebar. It will be named ``N GB encrypted``, where N is the size of the persistent volume. Enter the SVS persistent volume passphrase to unlock and mount it. When asked if you would like to forget the password immediately or remember it until you logout, choose the option to **Forget password immediately**. +- In the the ``vault`` file manager, select the persistent volume's listing in the lower left sidebar. It will be named ``N GB encrypted``, where N is the size of the persistent volume. Enter the Secure Viewing Station persistent volume passphrase to unlock and mount it. When asked if you would like to forget the password immediately or remember it until you logout, choose the option to **Forget password immediately**. .. note:: @@ -144,11 +144,11 @@ In order to set up KeePassXC for easy use: .. important:: - The password database from the Tails-based *Admin Workstation* contains sensitive credentials not required by *Journalists*. Make sure to copy the credentials from the Tails-based *Journalist Workstation* USB flash drive. + The password database from the Tails-based Admin Workstation contains sensitive credentials not required by *Journalists*. Make sure to copy the credentials from the Tails-based Journalist Workstation USB flash drive. In order to copy a *Journalist*'s login credentials: -- If a Tails-based *Journalist Workstation* USB flash drive is not currently attached, connect it, attach it to the ``vault`` VM, open it in the file manager, and enter its encryption passphrase. +- If a Tails-based Journalist Workstation USB flash drive is not currently attached, connect it, attach it to the ``vault`` VM, open it in the file manager, and enter its encryption passphrase. - Locate the password database. It should be in the ``Persistent`` directory, and will typically be named ``keepassx.kdbx`` or similar. @@ -197,7 +197,7 @@ If importing the *Submission Private Key* using ``sdw-admin --configure`` fails head -n 1 /tmp/sd-journalist.sec -- Unmount the SVS USB +- Unmount the Secure Viewing Station USB flash drive. - Run the following command in the ``dom0`` terminal: diff --git a/docs/admin/reference/offboarding.rst b/docs/admin/reference/offboarding.rst index fac95cff5..56708109a 100644 --- a/docs/admin/reference/offboarding.rst +++ b/docs/admin/reference/offboarding.rst @@ -131,6 +131,8 @@ the SSH key, you should rotate the key in the following manner. Rotate the *Submission Key* --------------------------- +.. TODO Update instructions for Qubes + The *Submission Private Key* is held on the airgapped *Secure Viewing Station*, and is not normally accessed by SecureDrop users anywhere but on the *SVS*. Therefore, we recommend rotating the *Submission Key* under the following diff --git a/docs/journalist/submissions.rst b/docs/journalist/submissions.rst index 212dd15a0..39eb034ca 100644 --- a/docs/journalist/submissions.rst +++ b/docs/journalist/submissions.rst @@ -141,7 +141,7 @@ To access the *Export Device* on your everyday workstation, follow these steps: the contents of interest to your everyday workstation. As a security precaution, we recommend deleting the files on the *Export -Device* after each copy operation. If you are using write protection, you have to perform this step on the *Secure Viewing Station* to get the security benefits of write protection. +Device* after each copy operation. When you are done, switch back to the *VeraCrypt* window, and click **Dismount**. @@ -193,8 +193,7 @@ are important steps you can take to protect yourself: QR codes can contain malicious links that your device will automatically visit. This can alert third-parties to your actions, reveal the identities - of your *Sources*, and breach the air gap that is in place with the - *Secure Viewing Station*. + of your *Sources*, and breach the isolation benefits of using Qubes. In general, be careful when opening any links provided in a SecureDrop submission. If you are unsure if a link is safe to click, you should From 305d19caa33cf54373c58958c7b4f97b64200999 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Thu, 18 Jun 2026 11:00:44 -0400 Subject: [PATCH 22/24] More italics, formatting all terms of art more consistenly --- .../admin/deployment/deployment_practices.rst | 2 +- .../deployment/https_source_interface.rst | 2 +- docs/admin/deployment/landing_page.rst | 6 +- docs/admin/deployment/tor_pow.rst | 4 +- .../installation/create_admin_account.rst | 2 +- docs/admin/installation/email_alerts.rst | 6 +- docs/admin/installation/install.rst | 6 +- .../installation/installation_overview.rst | 2 +- docs/admin/installation/set_up_keepassxc.rst | 4 +- docs/admin/maintenance/decommission.rst | 6 +- docs/admin/maintenance/rebuild_admin.rst | 4 +- docs/admin/migration/admin_migration.rst | 22 +- docs/admin/reference/admin_interface.rst | 8 +- docs/admin/reference/offboarding.rst | 2 +- docs/admin/reference/securedrop_admin.rst | 2 +- docs/admin/reference/ssh_access.rst | 2 +- docs/admin/workstation_reference/backup.rst | 2 +- docs/appendices/glossary.rst | 6 +- docs/appendices/threat_model/mitigations.rst | 8 +- docs/appendices/threat_model/threat_model.rst | 190 +++++++++--------- docs/appendices/training_schedule.rst | 2 +- docs/introduction/securedrop_workstation.rst | 16 +- docs/introduction/what_is_securedrop.rst | 52 ++--- docs/journalist/sources.rst | 4 +- docs/source/before_you_submit.rst | 2 +- 25 files changed, 181 insertions(+), 181 deletions(-) diff --git a/docs/admin/deployment/deployment_practices.rst b/docs/admin/deployment/deployment_practices.rst index db0c6009c..81b6ec54e 100644 --- a/docs/admin/deployment/deployment_practices.rst +++ b/docs/admin/deployment/deployment_practices.rst @@ -12,7 +12,7 @@ The deployment section here covers a variety of tasks an administrator might need to perform to successfully deploy SecureDrop, depending on organizational needs and requirements. -Certain topics, such as creating a landing page and onboarding *Journalists*, are +Certain topics, such as creating a *Landing Page* and onboarding *Journalists*, are universal to all SecureDrop instances. Other topics are optional, and are only needed if they fit in with the organization's security policies and newsroom workflows. diff --git a/docs/admin/deployment/https_source_interface.rst b/docs/admin/deployment/https_source_interface.rst index aa4e83713..cfaba3710 100644 --- a/docs/admin/deployment/https_source_interface.rst +++ b/docs/admin/deployment/https_source_interface.rst @@ -61,7 +61,7 @@ involves: 2. Submitting the CSR to DigiCert. (This CSR demonstrates control over the private key used for HTTPS.) 3. Scheduling a phone call and verifying your relationship to the organization. 4. Generating another CSR, using a custom tool, leveraging the *Onion Service* private key. -5. Submitting the second CSR to DigiCert. (This CSR demonstrates control over the private key for the onion service.) +5. Submitting the second CSR to DigiCert. (This CSR demonstrates control over the private key for the *Onion Service*.) 6. Downloading the certificate from the DigiCert panel. 7. Installing the cert on the SecureDrop *Application Server*, via ``securedrop-admin``. diff --git a/docs/admin/deployment/landing_page.rst b/docs/admin/deployment/landing_page.rst index 342c45e8d..f50da9643 100644 --- a/docs/admin/deployment/landing_page.rst +++ b/docs/admin/deployment/landing_page.rst @@ -17,7 +17,7 @@ your organization. .. note:: SecureDrop will bring more attention to your organization from security researchers and others. A *Landing Page* that fails to implement minimum security requirements is sure to be noticed, and - could undermine trust, discouraging possible Sources. + could undermine trust, discouraging possible *Sources*. *Landing Page* content suggestions ---------------------------------- @@ -105,7 +105,7 @@ The SecureDrop directory SecureDrop `maintains a directory of instances that meet our strict guidelines. `__ If you would like to be considered for -inclusion in this directory, make sure your landing page features the necessary +inclusion in this directory, make sure your *Landing Page* features the necessary items from the sample above, and is in compliance with the technical requirements below, then `send us a request using this form. `__ @@ -416,7 +416,7 @@ monitoring system for your site, OSSEC is a free and open source host-based intr that includes a file integrity monitor. More information can be found `here. `__ -.. note:: We do not recommmend using the *Monitor Server* to monitor your landing page. It should be used +.. note:: We do not recommmend using the *Monitor Server* to monitor your *Landing Page*. It should be used for the *Application Server* only. Don't log access to the *Landing Page* in the webserver diff --git a/docs/admin/deployment/tor_pow.rst b/docs/admin/deployment/tor_pow.rst index b20f2cccc..2e3977149 100644 --- a/docs/admin/deployment/tor_pow.rst +++ b/docs/admin/deployment/tor_pow.rst @@ -35,7 +35,7 @@ To enable it on an existing SecureDrop instance, on the *Admin VM*: The prompts will include:: - Enable Tor's proof-of-work defense against denial-of-service attacks for the Source Interface?: yes + Enable Tor's proof-of-work defense against denial-of-service attacks for the *Source Interface*?: yes Type to accept the new default ``yes`` value. When you finish the prompts, rerun the installation script:: @@ -54,4 +54,4 @@ Disabling the proof-of-work-defense Follow the instructions above for :ref:`enabling the proof-of-work defense `, but answer ``no`` at the prompt:: - Enable Tor's proof-of-work defense against denial-of-service attacks for the Source Interface?: no + Enable Tor's proof-of-work defense against denial-of-service attacks for the *Source Interface*?: no diff --git a/docs/admin/installation/create_admin_account.rst b/docs/admin/installation/create_admin_account.rst index ce22c3f98..bf0ff15fe 100644 --- a/docs/admin/installation/create_admin_account.rst +++ b/docs/admin/installation/create_admin_account.rst @@ -47,7 +47,7 @@ output like this: .. highlight:: none .. code:: - This journalist's passphrase is: delivery propose requisite stunner dragonfly unstamped stowaway + This *Journalist*'s passphrase is: delivery propose requisite stunner dragonfly unstamped stowaway Passphrases include the spaces between the words, but not leading or trailing whitespace. Be sure to save this passphrase in the appropriate KeePassXC database. diff --git a/docs/admin/installation/email_alerts.rst b/docs/admin/installation/email_alerts.rst index ff728fa4f..1219b5797 100644 --- a/docs/admin/installation/email_alerts.rst +++ b/docs/admin/installation/email_alerts.rst @@ -5,8 +5,8 @@ SecureDrop sends different alerts by PGP-encrypted email. Before installing Secu .. _daily_journalist_alerts: -Optional: daily journalist alerts -------------------------------------------- +Optional: Daily journalist alerts +--------------------------------- When a SecureDrop has little activity and receives only a few submissions every other week, checking daily only to find there is nothing is a burden. It is more convenient for *Journalists* to be notified daily via encrypted email about whether or not there has been submission activity in the past 24 hours. @@ -34,7 +34,7 @@ If you wish to enable this, you will need: - the *Journalist Alert Public Key* - the *Journalist Alert Public Key* fingerprint -Daily Journalist Alerts can be configured during or after installation. +Daily journalist alerts can be configured during or after installation. .. _ossec_guide: diff --git a/docs/admin/installation/install.rst b/docs/admin/installation/install.rst index b7a986522..9c0a708a3 100644 --- a/docs/admin/installation/install.rst +++ b/docs/admin/installation/install.rst @@ -100,10 +100,10 @@ continuing: can add more later) - the username of the system admin -If configuring Daily Journalist Alert emails (this is optional and can be configured later), you will also need: +If configuring daily journalist alert emails (this is optional and can be configured later), you will also need: - the *Journalist Alert Public Key* - the *Journalist Alert Public Key* fingerprint -- the email address that will receive the journalist alerts +- the email address that will receive the daily journalist alerts Localization of the *Source Interface* and *Journalist Interface* ----------------------------------------------------------------- @@ -118,7 +118,7 @@ list of supported languages to display using the codes shown in parentheses. .. note:: With a *Source Interface* displayed in French (for example), *Sources* - submitting documents are likely to expect a journalist fluent in + submitting documents are likely to expect a *Journalist* fluent in French to be available to read the documents and follow up in that language. diff --git a/docs/admin/installation/installation_overview.rst b/docs/admin/installation/installation_overview.rst index ccc8900dd..96e8ca9d5 100644 --- a/docs/admin/installation/installation_overview.rst +++ b/docs/admin/installation/installation_overview.rst @@ -4,7 +4,7 @@ Installation overview Migrating from a Tails-based SecureDrop --------------------------------------- -If you are migrating from an older SecureDrop, using the separate Tails-based Secure Viewing Station, journalist workstation* and admin workstation USB flash drives, then skip to the :ref:`Migration Overview`. +If you are migrating from an older SecureDrop, using the separate Tails-based *Secure Viewing Station*, *Journalist workstation* and *Admin Workstation* USB flash drives, then skip to the :ref:`Migration Overview`. Setting expectations -------------------- diff --git a/docs/admin/installation/set_up_keepassxc.rst b/docs/admin/installation/set_up_keepassxc.rst index fbf3289ec..2f22c125e 100644 --- a/docs/admin/installation/set_up_keepassxc.rst +++ b/docs/admin/installation/set_up_keepassxc.rst @@ -61,8 +61,8 @@ the template are: **Journalist**: -- Auth Value: Journalist Interface -- Onion URL: Journalist Interface +- Auth Value: *Journalist Interface* +- Onion URL: *Journalist Interface* - Personal GPG Key - SecureDrop Login Credentials diff --git a/docs/admin/maintenance/decommission.rst b/docs/admin/maintenance/decommission.rst index 1aa07df60..0a56850ac 100644 --- a/docs/admin/maintenance/decommission.rst +++ b/docs/admin/maintenance/decommission.rst @@ -26,10 +26,10 @@ extreme circumstances, temporarily take it down. If you decide to take down your SecureDrop instance, we recommend the following steps: 1. Consult with *Journalists* using the system, to ensure that any active - sources are aware of the situation, and that source conversations can + *Sources* are aware of the situation, and that source conversations can either be paused or continued via other means. 2. Update your SecureDrop *Landing Page* (typically a “send us tips” page, - or a page linked from there) to let prospective sources know that the + or a page linked from there) to let prospective *Sources* know that the outage is coming, and optionally to redirect them to other contact methods, such as a shared Signal tipline. 3. :doc:`Back up your servers <../maintenance/backup_and_restore>`. @@ -115,7 +115,7 @@ SecureDrop instance. data. .. caution:: Be **very** sure you are reformatting the right drive. - You may want to use the Secure Viewing Station laptop for this procedure + You may want to use the *Secure Viewing Station* laptop for this procedure to reduce the risk of accidentally erasing a drive on your regular-use machine. diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index 64e83aed2..608e3d7ad 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -271,7 +271,7 @@ using the command: curl http://$(cat /tmp/sourcev3)/metadata Next, note the OSSEC Alerts email address (``OSSEC_EMAIL``) and, if applicable, -the journalist alerts email address (``JOURNALIST_EMAIL``): +the daily journalist alerts email address (``JOURNALIST_EMAIL``): .. code:: sh @@ -286,7 +286,7 @@ appropriate email address for ``alerts@example.com``): ssh mon sudo gpg --homedir=/var/ossec/.gnupg --export --armor alerts@example.com > ossec.pub gpg --import ossec.pub -If a journalist alerts address has been configured, repeat this step for the +If a daily journalist alerts address has been configured, repeat this step for the *Journalist Alert Public Key*, naming it ``journalist.pub`` or similar. You will require the fingerprints for these keys during the next step, which you diff --git a/docs/admin/migration/admin_migration.rst b/docs/admin/migration/admin_migration.rst index 89637cf75..49fe28eb6 100644 --- a/docs/admin/migration/admin_migration.rst +++ b/docs/admin/migration/admin_migration.rst @@ -47,7 +47,7 @@ Install tasks: Import KeePassXC database ~~~~~~~~~~~~~~~~~~~~~~~~~ -If you have a KeePassXC database on your Tails-based Admin Workstation USB flash drive, you should copy it to the ``vault`` VM on the new Qubes-based *Admin-Workstation*. +If you have a KeePassXC database on your Tails-based *Admin Workstation* USB flash drive, you should copy it to the ``vault`` VM on the new Qubes-based *Admin-Workstation*. Qubes OS comes with the KeePassXC password manager preinstalled in the ``vault`` VM. @@ -59,26 +59,26 @@ Qubes OS comes with the KeePassXC password manager preinstalled in the ``vault`` Configure SecureDrop Workstation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct SecureDrop server details and *Submission Private Key* from your Tails-based Journalist Workstation and Secure Viewing Station USB flash drives. +Now that your new Qubes-based *Admin-Workstation* is prepared, you can proceed with importing the correct SecureDrop server details and *Submission Private Key* from your Tails-based *Journalist Workstation* and *Secure Viewing Station* USB flash drives. Import *Submission Private Key* ------------------------------- In order to decrypt submissions, you will need a copy of the `*Submission Private Key* `_ -from your SecureDrop instance's Secure Viewing Station. +from your SecureDrop instance's *Secure Viewing Station*. -To protect this key and preserve the air gap, you will need to connect the Secure Viewing Station USB flash drive to a Qubes VM with no network access, and copy it from there to ``dom0``. You cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below: +To protect this key and preserve the air gap, you will need to connect the *Secure Viewing Station* USB flash drive to a Qubes VM with no network access, and copy it from there to ``dom0``. You cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below: -- First, use the network manager widget in the upper right panel to disable your network connection. These instructions refer to the ``vault`` VM, which has no network access by default, but if the Secure Viewing Station is attached to another VM by mistake, this will offer some protection against exfiltration. +- First, use the network manager widget in the upper right panel to disable your network connection. These instructions refer to the ``vault`` VM, which has no network access by default, but if the *Secure Viewing Station* is attached to another VM by mistake, this will offer some protection against exfiltration. - Next, choose |qubes_menu| **▸ Apps ▸ vault ▸ Thunar File Manager** to open the file manager in the ``vault`` VM. -- Connect the Secure Viewing Station USB flash drive to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be three entries for the USB flash drive in the section titled **Data (Block) Devices**. Choose the *unlabeled* entry (*not* the one labeled "TAILS") annotated with a ``sys-usb`` text that ends with a number, like ``sys-usb:sdb2``. That is the persistent volume. +- Connect the *Secure Viewing Station* USB flash drive to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be three entries for the USB flash drive in the section titled **Data (Block) Devices**. Choose the *unlabeled* entry (*not* the one labeled "TAILS") annotated with a ``sys-usb`` text that ends with a number, like ``sys-usb:sdb2``. That is the persistent volume. |Attach TailsData| -- In the the ``vault`` file manager, select the persistent volume's listing in the lower left sidebar. It will be named ``N GB encrypted``, where N is the size of the persistent volume. Enter the Secure Viewing Station persistent volume passphrase to unlock and mount it. When asked if you would like to forget the password immediately or remember it until you logout, choose the option to **Forget password immediately**. +- In the the ``vault`` file manager, select the persistent volume's listing in the lower left sidebar. It will be named ``N GB encrypted``, where N is the size of the persistent volume. Enter the *Secure Viewing Station* persistent volume passphrase to unlock and mount it. When asked if you would like to forget the password immediately or remember it until you logout, choose the option to **Forget password immediately**. .. note:: @@ -97,7 +97,7 @@ To protect this key and preserve the air gap, you will need to connect the Secur .. note:: If there are multiple keys present on the device, ``sdw-admin --configure`` will print the fingerprints of those keys for you to select which to use as the *Submission Private Key*. You can open ``.onion/metadata`` in Tor Browser on another network-connected computer to check the correct key fingerprint used by your SecureDrop instance. -- Once the *Submission Private Key* import is complete, in the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the Secure Viewing Station USB flash drive. +- Once the *Submission Private Key* import is complete, in the ``vault`` file manager, right-click on the **TailsData** sidebar entry, then select **Unmount** and disconnect the *Secure Viewing Station* USB flash drive. - If you were prompted for a passphrase during import, you will now need to remove the passphrase on ``sd-journalist.sec``. See :doc:`/admin/migration/removing_gpg_passphrase`. @@ -144,11 +144,11 @@ In order to set up KeePassXC for easy use: .. important:: - The password database from the Tails-based Admin Workstation contains sensitive credentials not required by *Journalists*. Make sure to copy the credentials from the Tails-based Journalist Workstation USB flash drive. + The password database from the Tails-based *Admin Workstation* contains sensitive credentials not required by *Journalists*. Make sure to copy the credentials from the Tails-based *Journalist Workstation* USB flash drive. In order to copy a *Journalist*'s login credentials: -- If a Tails-based Journalist Workstation USB flash drive is not currently attached, connect it, attach it to the ``vault`` VM, open it in the file manager, and enter its encryption passphrase. +- If a Tails-based *Journalist Workstation* USB flash drive is not currently attached, connect it, attach it to the ``vault`` VM, open it in the file manager, and enter its encryption passphrase. - Locate the password database. It should be in the ``Persistent`` directory, and will typically be named ``keepassx.kdbx`` or similar. @@ -197,7 +197,7 @@ If importing the *Submission Private Key* using ``sdw-admin --configure`` fails head -n 1 /tmp/sd-journalist.sec -- Unmount the Secure Viewing Station USB flash drive. +- Unmount the *Secure Viewing Station* USB flash drive. - Run the following command in the ``dom0`` terminal: diff --git a/docs/admin/reference/admin_interface.rst b/docs/admin/reference/admin_interface.rst index dc1377516..6621786f2 100644 --- a/docs/admin/reference/admin_interface.rst +++ b/docs/admin/reference/admin_interface.rst @@ -1,5 +1,5 @@ -The admin interface -=================== +The *Admin Interface* +===================== The *Admin Interface* is an extended version of the *Journalist Interface*, that allows you to manage users and configure the appearance and behaviour of your @@ -10,7 +10,7 @@ Logging in To log in to the *Admin Interface*, start the *Admin Workstation* with persistence enabled. Open the *SecureDrop Menu* and select the -"Launch Journalist Interface" option. Tor Browser will start and load the login +**Launch Journalist Interface** option. Tor Browser will start and load the login page for the *Journalist Interface*. Use your username, passphrase, and *Two-Factor Authentication* token to log in. @@ -273,7 +273,7 @@ to protect their codename and keep it secret. To remove this restriction, unchec checkbox and click **Update Submission Preferences**. .. |Reset Passphrase| image:: ../../images/manual/screenshots/journalist-edit_account_user.png - :alt: The account editing form allows admins to change name, reset passphrase, and reset two-factor authentication. + :alt: The account editing form allows admins to change name, reset passphrase, and reset *Two-Factor Authentication*. .. |Test Alert| image:: ../../images/manual/screenshots/journalist-admin_ossec_alert_button.png :alt: The Instance Configuration form displays 'Test alert sent' after a test OSSEC alert was sent successfully. .. |SecureDrop main page| image:: ../../images/manual/screenshots/journalist-admin_index_no_documents.png diff --git a/docs/admin/reference/offboarding.rst b/docs/admin/reference/offboarding.rst index 56708109a..c7695f97f 100644 --- a/docs/admin/reference/offboarding.rst +++ b/docs/admin/reference/offboarding.rst @@ -134,7 +134,7 @@ Rotate the *Submission Key* .. TODO Update instructions for Qubes The *Submission Private Key* is held on the airgapped *Secure Viewing Station*, -and is not normally accessed by SecureDrop users anywhere but on the *SVS*. +and is not normally accessed by SecureDrop users anywhere but on the *Secure Viewing Station*. Therefore, we recommend rotating the *Submission Key* under the following circumstances: diff --git a/docs/admin/reference/securedrop_admin.rst b/docs/admin/reference/securedrop_admin.rst index 92fc39a70..28abcf1da 100644 --- a/docs/admin/reference/securedrop_admin.rst +++ b/docs/admin/reference/securedrop_admin.rst @@ -73,7 +73,7 @@ At any time during and after initial setup, you can choose from a list of supported languages to display using the codes shown in parentheses. .. note:: With a *Source Interface* displayed in French (for example), *Sources* - submitting documents are likely to expect a Journalist fluent in + submitting documents are likely to expect a *Journalist* fluent in French to be available to read the documents and follow up in that language. diff --git a/docs/admin/reference/ssh_access.rst b/docs/admin/reference/ssh_access.rst index 8e98edc73..cbecb5e24 100644 --- a/docs/admin/reference/ssh_access.rst +++ b/docs/admin/reference/ssh_access.rst @@ -121,7 +121,7 @@ Adding users (CLI) ^^^^^^^^^^^^^^^^^^ After the provisioning of the first admin account, we recommend -using the Admin Interface web application for adding additional journalist +using the *Admin Interface* web application for adding additional journalist and admin accounts. However, you can also add users via ``./manage.py`` in ``/var/www/securedrop/`` diff --git a/docs/admin/workstation_reference/backup.rst b/docs/admin/workstation_reference/backup.rst index 5e66fb21d..4efffd3d1 100644 --- a/docs/admin/workstation_reference/backup.rst +++ b/docs/admin/workstation_reference/backup.rst @@ -1,7 +1,7 @@ Backup and restore ================== -.. TODO possibly need distinct backup and restore instructions for Qubes-based Admin and Journalist Workstations? Possibly not? +.. TODO possibly need distinct backup and restore instructions for Qubes-based Admin and *Journalist Workstation*s? Possibly not? Qubes OS has a `backup utility `_ that allows for backup and restoration of user-specified VMs and templates. diff --git a/docs/appendices/glossary.rst b/docs/appendices/glossary.rst index 5316336e6..804fa7ebb 100644 --- a/docs/appendices/glossary.rst +++ b/docs/appendices/glossary.rst @@ -24,7 +24,7 @@ may only connect to this server using Tor. Export Device ------------- -The *Export Device* is the physical media (e.g., designated USB flash drive) used to transfer decrypted documents from the Secure Viewing Station to a journalist's everyday workstation, or to another computer for additional processing. +The *Export Device* is the physical media (e.g., designated USB flash drive) used to transfer decrypted documents from the *Secure Viewing Station* to a *Journalist*'s everyday workstation, or to another computer for additional processing. Please see the detailed security recommendations for the choice, configuration and use of your *Export Device* in the :doc:`journalist` guide and in the :doc:`setup guide`. @@ -32,7 +32,7 @@ Journalist ---------- The *Journalist* uses SecureDrop to communicate with and download documents -submitted by the *Source*. Journalists do this by using the *SecureDrop +submitted by the *Source*. *Journalists* do this by using the *SecureDrop Workstation*. If a *Journalist* chooses to release any of these documents, @@ -123,7 +123,7 @@ Instructions for using SecureDrop as a *Source* are available in our Source Interface ---------------- -The *Source Interface* is the website that sources will access to +The *Source Interface* is the website that *Sources* will access to submit documents and communicate with *Journalists*. This site is hosted on the *Application Server* and can only be accessed through Tor. diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index 564de1b9e..b230a376a 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -190,8 +190,8 @@ Attacks on network infrastructure - apt server man-in-the-middle used to serve old or malicious packages - SecureDrop apt servers are compromised, or apt server man-in-the middle attack injects malicious packages - News Organization network is compromised -- OSSEC and/or journalist alert SMTP account credentials compromised -- OSSEC and/or journalist alert private key compromised +- OSSEC and/or daily journalist alert SMTP account credentials compromised +- OSSEC and/or daily journalist alert private key compromised - SMTP relay compromised - Admin's network is monitored @@ -223,14 +223,14 @@ Attacks on user behavior or hardware - SecureDrop installer misconfigures server/firewall hardware - *Source* uses tor2web or employer/corporate device - *Source* shares that they are using SecureDrop/leaking documents -- *Journalist*/administrator gets phished from a submission or otherwise breaks the SVS airgap with malware +- *Journalist*/administrator gets phished from a submission or otherwise breaks the *Secure Viewing Station* airgap with malware Countermeasures in user behavior recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - :doc:`Source Guide ` gives instructions on best practices for the entire submission workflow - *Source Interface* banner suggests that user disables JS (high security settings in Tor Browser) - :doc:`Journalist Guide ` informs users of malware risks, the importance of strict compartmentalization of SecureDrop-related activities -- :doc:`SecureDrop Deployment Guide ` gives best practices for proper administration of the SecureDrop system, and its public-facing properties like the Landing Page +- :doc:`SecureDrop Deployment Guide ` gives best practices for proper administration of the SecureDrop system, and its public-facing properties like the *Landing Page* - :doc:`Admin Guide ` gives instructions for long-term maintenance of the technical properties of the SecureDrop system, as well as operations to support *Journalists* - All adminsitrator tasks are completed over Tor/Tor authenticated *Onion Services* after installation - Any journalist/admin password/2FA credentials resets can only be done by an administrator with password-protected SSH capability or authenticated *Onion Service* credentials. diff --git a/docs/appendices/threat_model/threat_model.rst b/docs/appendices/threat_model/threat_model.rst index fa7525f41..ef34d211c 100644 --- a/docs/appendices/threat_model/threat_model.rst +++ b/docs/appendices/threat_model/threat_model.rst @@ -23,7 +23,7 @@ Users ~~~~~ The following table of the users who interact with the SecureDrop web application. -Note that the airgapped SVS with the GPG *Submission Key* is required to decrypt +Note that the airgapped *Secure Viewing Station* with the GPG *Submission Key* is required to decrypt submissions or messages. +------------------+----------+-------------------------------------------------+ @@ -105,7 +105,7 @@ deployment, please visit the | Workstation | * Tails USB with persistence volume | +------------------+------------------------------------------------------------+ | Secure Viewing | * Airgapped and stripped-down laptop | -| Station (SVS) | * Tails USB with persistence volume | +| Station | * Tails USB with persistence volume | +------------------+------------------------------------------------------------+ Assumptions @@ -113,25 +113,25 @@ Assumptions The following assumptions are accepted in the threat model of every SecureDrop project: -Assumptions about the source -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Assumptions about the *Source* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- The source acts reasonably and in good faith, e.g. if the source were to give their credentials or private key material to the attacker that would be unreasonable. -- The source would like to remain anonymous, even against a forensic +- The *Source* acts reasonably and in good faith, e.g. if the *Source* were to give their credentials or private key material to the attacker that would be unreasonable. +- The *Source* would like to remain anonymous, even against a forensic attacker. -- The source obtains an authentic copy of Tails and Tor Browser. -- The source follows our :doc:`guidelines ` +- The *Source* obtains an authentic copy of Tails and Tor Browser. +- The *Source* follows our :doc:`guidelines ` for using SecureDrop. -- The source is accessing an authentic SecureDrop site. +- The *Source* is accessing an authentic SecureDrop site. -Assumptions about the admin and the journalist -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Assumptions about the admin and the *Journalist* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- The admin and the journalist act reasonably and in good faith, e.g. +- The admin and the *Journalist* act reasonably and in good faith, e.g. if either of them were to give their credentials or private key material to the attacker that would be unreasonable. -- The admin and the journalist obtain authentic copies of Tails. -- The journalist follows our +- The admin and the *Journalist* obtain authentic copies of Tails. +- The *Journalist* follows our :doc:`guidelines ` for using SecureDrop and working with submitted documents. @@ -147,7 +147,7 @@ Assumptions about the person installing SecureDrop up the :ref:`landing page ` for the organization, and for :doc:`installing SecureDrop `. -Assumptions about the source's computer +Assumptions about the *Source*'s computer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The computer correctly executes Tails or Tor Browser. @@ -158,13 +158,13 @@ Assumptions about the *Admin Workstation* and the *Journalist Workstation* - The computer correctly executes Tails. - The computer and the Tails device are not compromised by malware. -- The two-factor authentication device used with the workstation are +- The *Two-Factor Authentication* device used with the workstation are not compromised by malware. Assumptions about the *Secure Viewing Station* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- The computer is airgapped. +- The computer is airgapped.Onion - The computer correctly executes Tails. - The computer and the Tails device are not compromised by malware. @@ -179,15 +179,15 @@ Assumptions about the SecureDrop hardware Assumptions about the organization hosting SecureDrop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- The organization wants to preserve the anonymity of its sources. -- The organization acts in the interest of allowing sources to submit +- The organization wants to preserve the anonymity of its *Sources*. +- The organization acts in the interest of allowing *Sources* to submit documents, regardless of the contents of these documents. - The users of the system, and those with physical access to the servers, can be trusted to uphold the previous assumptions unless the entire organization has been compromised. - The organization is prepared to push back on any and all requests to compromise the integrity of the system and its users, including - requests to deanonymize sources, block document submissions, or hand + requests to deanonymize *Sources*, block document submissions, or hand over encrypted or decrypted submissions. Assumptions about the world @@ -197,7 +197,7 @@ Assumptions about the world valid. - The security assumptions of scrypt with randomly-generated salts are valid. -- The security/anonymity assumptions of Tor and the onion service +- The security/anonymity assumptions of Tor and the *Onion Service* protocol are valid. - The security assumptions of the Tails operating system are valid. - The security assumptions of SecureDrop dependencies, specifically @@ -239,32 +239,32 @@ What a compromise of the *Application Server* can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The server sees the plaintext codename, used as the login identifier, - of every source. -- The server sees all HTTP requests made by the source, the admin, and - the journalist. -- The server sees the plaintext submissions of every source. -- The server sees the plaintext communication between journalists and - their sources. -- The server stores the onion service private key for the source interface. + of every *Source*. +- The server sees all HTTP requests made by the*Source*, the admin, and + the *Journalist*. +- The server sees the plaintext submissions of every *Source*. +- The server sees the plaintext communication between *Journalists* and + their *Sources*. +- The server stores the onion service private key for the *Source* interface. - The server stores the onion service private key and authentication token for - the Journalist interface. + the *Journalist Interface*. - The server stores and (optional) TLS private key and certificate (if HTTPS - is enabled on the source interface) + is enabled on the *Source* interface) - The server stores hashes of codenames, created with scrypt and randomly-generated salts. - The server stores journalist password hashes, created with script and randomly-generated salts, as well as TOTP seeds. - The server stores only encrypted submissions and communication on disk. -- The server stores a GPG key for each source, with the source's +- The server stores a GPG key for each *Source*, with the *Source*'s codename as the passphrase. - The server may `store plaintext submissions in memory for at most 24 hours `__. - The server stores sanitized Tor logs, created using the `SafeLogging option `__, for the *Source Interface*, the *Journalist Interface*, and SSH. -- The server stores both access and error logs for the Journalist - Interface. +- The server stores both access and error logs for the *Journalist + Interface*. - The server stores connection history and audit logs for the admin. - The server can connect to the *Monitor Server* using an SSH key and a passphrase. @@ -306,51 +306,51 @@ What a compromise of the workstations can surrender GPG key, as well as a :doc:`database with the passphrase ` for that key. -What a compromise of the source's property can surrender +What a compromise of the *Source*'s property can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Use of `Tor Browser will leave traces `__ - that can be discovered through a forensic analysis of the source's + that can be discovered through a forensic analysis of the *Source*'s property following either a compromise or physical seizure. Unless - the compromise or seizure happens while the source is submitting + the compromise or seizure happens while the *Source* is submitting documents to SecureDrop, the traces will not include information about sites visited or actions performed in the browser. - Use of Tails with a persistent volume will leave traces on the device the operating system was installed on. Unless the compromise or - seizure happens while the source is submitting documents to + seizure happens while the *Source* is submitting documents to SecureDrop, or using the persistent volume, the traces will not include information about sites visited or actions performed in the browser or on the system. -- SecureDrop 0.3 encourages sources to protect their codenames by - memorizing them. If a source cannot memorize the codename right away, +- SecureDrop 0.3 encourages *Sources* to protect their codenames by + memorizing them. If a *Source* cannot memorize the codename right away, we recommend writing it down and keeping it in a safe place at first, - and gradually working to memorize it over time. Once the source has + and gradually working to memorize it over time. Once the *Source* has memorized it, they should destroy the written copy. If the - source does write down the codename, a compromise or physical seizure - of the source's property may result in the attacker obtaining the - source's codename. + *Source* does write down the codename, a compromise or physical seizure + of the *Source*'s property may result in the attacker obtaining the + *Source*'s codename. - An attacker with access to the **source's codename** can: - - Show that the source has visited the SecureDrop site, but not + - Show that the *Source* has visited the SecureDrop site, but not necessarily submitted anything. - Upload new documents or submit messages. - - Communicate with the journalist as that source. - - See any replies from journalists that the source has not yet + - Communicate with the *Journalist* as that *Source*. + - See any replies from *Journalists* that the *Source* has not yet deleted. -What a physical seizure of the source's property can surrender +What a physical seizure of the *Source*'s property can surrender ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Document use of Tor or Tails, but not necessarily research into SecureDrop -- Prevent the source from submitting documents by taking the device the +- Prevent the *Source* from submitting documents by taking the device the documents are stored on. - If the property is seized while powered on, the attacker can also analyze any plaintext information that resides in RAM. - Tamper with the hardware. -- A physical seizure of, and access to, the source's codename will - allow the attacker to access the Source Interface as that source. +- A physical seizure of, and access to, the *Source*'s codename will + allow the attacker to access the *Source Interface* as that *Source*. - A physical seizure of the admin's property will allow the attacker to: @@ -363,7 +363,7 @@ What a physical seizure of the source's property can surrender analyze any plaintext information that resides in RAM. - A physical seizure of, and access to, the admin's Tails persistent - volume, password database, and two-factor authentication device will + volume, password database, and *Two-Factor Authentication* device will allow the attacker to access both servers and the *Journalist Interface*. What compromise of the admin's property can surrender @@ -371,7 +371,7 @@ What compromise of the admin's property can surrender - To access the *Journalist Interface*, the *Application Server*, or the *Monitor Server*, the attacker needs to obtain the admin's login - credentials and the admin's two-factor authentication device. Unless + credentials and the admin's *Two-Factor Authentication* device. Unless the attacker has physical access to the servers, the attacker will also need to obtain the onion service values for the Interface and the servers. This information is stored in a password-protected @@ -401,28 +401,28 @@ What compromise of the admin's property can surrender - An attacker with admin access to the *Journalist Interface* can: - Add, modify, and delete journalist users. - - Change the codenames associated with sources within the Interface. + - Change the codenames associated with *Sources* within the Interface. - Download, but not decrypt, submissions. - - Communicate with sources. + - Communicate with *Sources*. - Delete one or more submissions. - - Delete one or more sources, which destroys all communication with - that source and prevents the source from ever logging back in with + - Delete one or more *Sources*, which destroys all communication with + that *Source* and prevents the *Source* from ever logging back in with that codename. - An attacker with admin access to the *Application Server* can: - Add, modify, and delete software, configurations, and other files. - - See all HTTP requests made by the source, the admin, and the - journalist. - - See the plaintext codename of a source as they are logging in. - - See the plaintext communication between a source and a journalist + - See all HTTP requests made by the *Source*, the admin, and the + *Journalist*. + - See the plaintext codename of a *Source* as they are logging in. + - See the plaintext communication between a *Source* and a *Journalist* as it happens. - See the stored list of hashed codenames. - Access the GPG public key used to encrypt communications between a - journalist and a source. + *Journalist* and a *Source*. - Download stored, encrypted submissions and replies from the - journalists. - - Decrypt replies from the journalists if the source's codename, and + *Journalists*. + - Decrypt replies from the *Journalists* if the *Source*'s codename, and thus the passphrase, is known. - Analyze any plaintext information that resides in RAM, which may include plaintext of submissions made within the past 24 hours. @@ -450,55 +450,55 @@ What a physical seizure of the admin's property can achieve - If the property is seized while powered on, the attacker can also analyze any plaintext information that resides in RAM. - A physical seizure of, and access to, the admin's Tails persistent - volume, password database, and two-factor authentication device will + volume, password database, and *Two-Factor Authentication* device will allow the attacker to access both servers and the *Journalist Interface*. -What a compromise of the journalist's property can achieve +What a compromise of the *Journalist*'s property can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - To access the *Journalist Interface*, the attacker needs to obtain the - journalist's login credentials and the journalist's two-factor - authentication device or seed. Unless the attacker has physical access to the + *Journalist*'s login credentials and the *Journalist*'s *Two-Factor + Authentication* device or seed. Unless the attacker has physical access to the server, the attacker will also need to obtain the onion service - value for the Interface. This information is stored in a + value for the *Interface*. This information is stored in a password-protected database in a persistent volume on the - journalist's Tails device. The volume is protected by a passphrase. - If the journalist's two-factor authentication device is a mobile + *Journalist*'s Tails device. The volume is protected by a passphrase. + If the *Journalist*'s *Two-Factor Authentication* device is a mobile phone, this will also be protected by a passphrase. -- An attacker with access to the **journalist's computer** can: +- An attacker with access to the *Journalist*'s computer can: - Access any stored, decrypted documents taken off the Secure Viewing Station. - An attacker with access to the **persistent volume** on the - journalist's Tails device can: + *Journalist*'s Tails device can: - Add, modify, and delete files on the volume. - Access the onion service values used by the *Journalist Interface*. - Access SSH keys and passphrases for the *Application Server* and the *Monitor Server*. -- An attacker with journalist access to the *Journalist Interface* can: +- An attacker with *Journalist* access to the *Journalist Interface* can: - - Change the codenames associated with sources within the interface. + - Change the codenames associated with *Sources* within the interface. - Download, but not decrypt, submissions. - Delete one or more submissions. - - Communicate with sources. - - If the journalist has admin privileges on SecureDrop, they can create new - journalist accounts. + - Communicate with *Sources*. + - If the *Journalist* has admin privileges on SecureDrop, they can create new + *Journalist* accounts. -What a physical seizure of the journalist's property can achieve +What a physical seizure of the *Journalist*'s property can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Tamper with the hardware. -- Prevent the journalist from working on SecureDrop for some period of +- Prevent the *Journalist* from working on SecureDrop for some period of time. - Access any stored, decrypted documents taken off the Secure Viewing Station. - If the property is seized while powered on, the attacker can also analyze any plaintext information that resides in RAM. -- A physical seizure of, and access to, the journalist's Tails - persistent volume, password database, and two-factor authentication +- A physical seizure of, and access to, the *Journalist*'s Tails + persistent volume, password database, and *Two-Factor Authentication* device will allow the attacker to access the *Journalist Interface*. What a compromise of the *Application Server* can achieve @@ -531,10 +531,10 @@ What a compromise of the *Application Server* can achieve configuration files. - View, modify, and delete both access and error logs for the *Journalist Interface*. - - View any HTTP requests made by the source, the admin, and the - journalist in that moment. This includes seeing plaintext + - View any HTTP requests made by the *Source*, the admin, and the + *Journalist* in that moment. This includes seeing plaintext codenames, submissions, and communications. - - Add and delete communications between a journalist and a source by + - Add and delete communications between a *Journalist* and a *Source* by writing to the database. - An attacker with access to the **root** user can: @@ -575,7 +575,7 @@ What a compromise of the *Monitor Server* can achieve - View all ossec logs and alerts on disk. - Modify the ossec configuration. - - Send (or suppress) emails to administrators and journalists. + - Send (or suppress) emails to administrators and *Journalists*. - An attacker with access to the **root** user can: @@ -595,7 +595,7 @@ What a physical seizure of the *Monitor Server* can achieve RAM. The attacker can also tamper with the hardware. - If the *Monitor Server* is no longer online or tampered with, this will have an effect on the quantity and accuracy of notifications sent to - admins or journalists. + admins or *Journalists*. What a compromise of the *Secure Viewing Station* can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -642,8 +642,8 @@ What a physical seizure of the *Secure Viewing Station* can achieve decrypted form on the *Secure Viewing Station*, or if the *Export Device* is in use. -What a local network attacker can achieve against the source, admin, or journalist -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +What a local network attacker can achieve against the *Source*, admin, or *Journalist* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A local network can observe when they are using Tor. - A local network can block Tor and prevent them from accessing @@ -653,35 +653,35 @@ What a local network attacker can achieve against the source, admin, or journali `research suggests this is very difficult `__. -What a global adversary can achieve against the source, admin, or journalist +What a global adversary can achieve against the *Source*, admin, or *Journalist* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A global adversary capable of observing all Internet traffic may have more luck than the local network attacker in deducing use of SecureDrop by looking at request sizes, plaintext uploads and encrypted downloads. -- A global adversary may be able to link a source to a specific +- A global adversary may be able to link a *Source* to a specific SecureDrop server. -- A global adversary may be able to link a source to a specific - journalist. +- A global adversary may be able to link a *Source* to a specific + *Journalist*. - A global adversary may be able to correlate data points during a leak investigation, including looking at who has read up on SecureDrop and who has used Tor. - A global adversary may be able to forge an SSL certificate and use it to spoof an organization's HTTPS *Landing Page*, thereby tricking the - source into visiting a fake SecureDrop site. + *Source* into visiting a fake SecureDrop site. What a random person on the internet can achieve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A random person can attempt to DoS the SecureDrop server and - overwhelm the journalists by generating a high number of codenames + overwhelm the *Journalists* by generating a high number of codenames and uploading many large documents. - A random person can submit empty, forged, or inaccurate documents. - A random person can submit malicious documents, e.g. malware that will attempt to compromise the *Secure Viewing Station*. - A random person can attempt to get sensitive information from a - SecureDrop user's browser session, such as the source's codename. + SecureDrop user's browser session, such as the *Source*'s codename. - A random person can attempt to compromise the SecureDrop server by attacking the exposed attack surface, including the kernel network stack, Tor, Apache, the SecureDrop web interfaces, Python, OpenSSH, diff --git a/docs/appendices/training_schedule.rst b/docs/appendices/training_schedule.rst index 0df2c4ab5..5cfb396cf 100644 --- a/docs/appendices/training_schedule.rst +++ b/docs/appendices/training_schedule.rst @@ -89,7 +89,7 @@ recipients and anyone else interested - Account security fundamentals - Passphrases and Password Managers - - Two-factor authentication (2FA) + - *Two-Factor Authentication* (2FA) - Phishing prevention - Web browser security - IP address privacy, VPNs and Tor diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index 537d9c3d8..cbaeb140e 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -8,7 +8,7 @@ A SecureDrop Workstation is a laptop used by a *Journalist* to connect to a Secu Encryption and decryption happen with one click using a network-isolated VM that holds the SecureDrop *Submission Private Key*. Submissions can be viewed securely on the same machine thanks to a `feature of Qubes`_ that creates temporary VMs in which to view untrusted content without exposing the rest of the system to that content. *Journalists* use the SecureDrop Workstation to decrypt, view, reply to, and export submissions. -A key feature of SecureDrop is that *Journalists* can receive submissions from unknown *Sources* without risking the security of their own machines and networks. Previously, SecureDrop accomplished this by using a physical airgap (the Secure Viewing Station); to view submissions, *Journalists* would have to download them, transfer them to an encrypted USB flash drive, and physically take that drive to a separate, non-networked computer for decryption and viewing. SecureDrop Workstation combines all of those steps into one workflow on one machine: a Qubes computer that combines the *Journalist Workstation* and the Secure Viewing Station. +A key feature of SecureDrop is that *Journalists* can receive submissions from unknown *Sources* without risking the security of their own machines and networks. Previously, SecureDrop accomplished this by using a physical airgap (the *Secure Viewing Station*); to view submissions, *Journalists* would have to download them, transfer them to an encrypted USB flash drive, and physically take that drive to a separate, non-networked computer for decryption and viewing. SecureDrop Workstation combines all of those steps into one workflow on one machine: a Qubes computer that combines the *Journalist Workstation* and the *Secure Viewing Station*. .. | securedrop_workstation_workflow | @@ -159,26 +159,26 @@ For more about the security features of Qubes, see .. _`Xen hypervisor`: https://wiki.xen.org/wiki/Xen_Project_Software_Overview .. _`the Qubes OS documentation`: https://www.qubes-os.org/faq/#general--security -How does the security of this system compare to using an air-gapped Secure Viewing Station? +How does the security of this system compare to using an air-gapped *Secure Viewing Station*? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The air-gapped Secure Viewing Station that is part of a SecureDrop setup offers strong +The air-gapped *Secure Viewing Station* that is part of a SecureDrop setup offers strong protections against exfiltration of submissions or encryption keys by adversaries. It lacks important protections that SecureDrop Workstation provides. On the other hand, vulnerabilities in Qubes OS or Xen Hypervisor may have a greater security impact than vulnerabilities -in Tails, the operating system used on a Secure Viewing Station. +in Tails, the operating system used on a *Secure Viewing Station*. -A typical Secure Viewing Station USB flash drive may contain documents from multiple *Sources* and always +A typical *Secure Viewing Station* USB flash drive may contain documents from multiple *Sources* and always contains the highly sensitive private key needed to decrypt them. An adversary who does manage to achieve a security compromise (e.g., through a vulnerability in a file viewer application) can access these other files, and may be able to exfiltrate them. In spite of the air-gap, this may be possible through physical channels used to transfer files -off the Secure Viewing Station (e.g., USB flash drives), or by motivating the *Journalist* to perform an +off the *Secure Viewing Station* (e.g., USB flash drives), or by motivating the *Journalist* to perform an unsafe action (e.g., `scanning a QR code `__). -Because the air-gapped Secure Viewing Station has no Internet access, updates can only be performed using -another computer and a USB flash drive. In practice, newsrooms may not update their Secure Viewing Station +Because the air-gapped *Secure Viewing Station* has no Internet access, updates can only be performed using +another computer and a USB flash drive. In practice, newsrooms may not update their *Secure Viewing Station* in a timely manner, which can significantly worsen its security posture. In SecureDrop Workstation, any document received via SecureDrop is opened in a diff --git a/docs/introduction/what_is_securedrop.rst b/docs/introduction/what_is_securedrop.rst index 04d2ba1a0..326cd656e 100644 --- a/docs/introduction/what_is_securedrop.rst +++ b/docs/introduction/what_is_securedrop.rst @@ -20,28 +20,28 @@ journalist-source communications in the first place. In addition, it attempts to provide a safer environment for those communications than regular corporate news networks, which may be compromised. -Another key feature of SecureDrop is that journalists can receive submissions from unknown sources without risking the security of their own machines and +Another key feature of SecureDrop is that *Journalists* can receive submissions from unknown sources without risking the security of their own machines and networks. How it works ------------ -Sources and journalists connect to SecureDrop using the Tor network. The SecureDrop software is running on premises on dedicated infrastructure (two physical servers and a firewall). +*Sources* and *Journalists* connect to SecureDrop using the Tor network. The SecureDrop software is running on premises on dedicated infrastructure (two physical servers and a firewall). The following steps describe how a SecureDrop submission is submitted, received and reviewed: -1. A source uploads a submission to the news +1. A *Source* uploads a submission to the news organization using `Tor Browser `__. -2. A journalist connects to SecureDrop using their *SecureDrop - Workstation*, where journalists can view the document, +2. A *Journalist* connects to SecureDrop using their *SecureDrop + Workstation*, where *Journalists* can view the document, process it (e.g., to remove metadata or potential malware), print it, or export it to a dedicated device. .. seealso:: Check out :doc:`What makes SecureDrop Unique ` - to read more about SecureDrop's approach to keeping sources safe. + to read more about SecureDrop's approach to keeping *Sources* safe. User roles -------------- @@ -51,15 +51,15 @@ There are three main user roles that interact with a SecureDrop instance: :doc:`Sources ` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -A source submits documents and messages by using Tor Browser (or Tails) to access -the *Source Interface*: a public onion service. Submissions are encrypted +A *Source* submits documents and messages by using Tor Browser (or Tails) to access +the *Source Interface*: a public *Onion Service*. Submissions are encrypted in place on the *Application Server* as they are uploaded. :doc:`Journalists ` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Journalists working in the newsroom use a *SecureDrop Workstation* to connect -to their SecureDrop to communicate with Sources. Journalists +*Journalists* working in the newsroom use a *SecureDrop Workstation* to connect +to their SecureDrop to communicate with *Sources*. *Journalists* download `GPG `__-encrypted submissions. Apart from those deliberately published, decrypted documents are never accessed in an Internet-connected environment. @@ -69,7 +69,7 @@ accessed in an Internet-connected environment. The SecureDrop servers are managed by a systems admin; for larger newsrooms, there may be a team of systems admins. The admin -connects to the *Application* and *Monitor Servers* over `authenticated onion services `__, and manages them +connects to the *Application* and *Monitor Servers* over `authenticated Onion Services `__, and manages them using `Ansible `__. Project history @@ -102,7 +102,7 @@ by `contributing to SecureDrop `_ provides the foundation for the the anonymizing network that allows Sources, Journalists, and Administrators to maintain their privacy while connecting to SecureDrop. +`Tor `_ provides the foundation for the the anonymizing network that allows *Sources*, *Journalists*, and administrators to maintain their privacy while connecting to SecureDrop. We're deeply grateful to the SecureDrop volunteer community for translating our software into many languages. Their work is enabled by `Weblate `_, an open source platform for continuous localization. You can `make a donation `_ @@ -139,7 +139,7 @@ Security -------- While we can't guarantee 100% security (no organization or product can), the -goal of SecureDrop is to create a significantly more secure environment for sources to share information than exists through normal digital channels. Of course, there are always risks. That said, each release of SecureDrop with major architectural changes goes through a security audit by a reputable third party security firm. +goal of SecureDrop is to create a significantly more secure environment for *Sources* to share information than exists through normal digital channels. Of course, there are always risks. That said, each release of SecureDrop with major architectural changes goes through a security audit by a reputable third party security firm. Audits ------ @@ -170,7 +170,7 @@ or are able to use recycled machines sourced from within your organization. As part of priority support agreements and on a pro-bono basis for smaller news organizations, Freedom of the Press Foundation will visit your offices, help -set up SecureDrop and train journalists to use it. (For pro-bono support, we +set up SecureDrop and train *Journalists* to use it. (For pro-bono support, we request that our travel costs are covered.) Environment overview @@ -188,12 +188,12 @@ and must be physically located on-site within your organization's premises. - *Application Server*: An Ubuntu server running two segmented Tor hidden - services. The source connects to the *Source Interface*, a public-facing Tor - *Onion Service*, to send messages and documents to the journalist. The - journalist connects to the *Journalist Interface*, an `authenticated Tor + services. The *Source* connects to the *Source Interface*, a public-facing Tor + *Onion Service*, to send messages and documents to the *Journalist*. The + *Journalist* connects to the *Journalist Interface*, an `authenticated Tor *Onion Service* `__, to - download encrypted documents and respond to sources. + download encrypted documents and respond to *Sources*. - *Monitor Server*: An Ubuntu server that monitors the *Application Server* with `OSSEC `__ and sends email alerts. @@ -207,8 +207,8 @@ The SecureDrop environment consists of at least one laptop, in addition to the servers described above: - *SecureDrop Workstation:* - The laptop used by Journalists to download encrypted documents - and respond to sources, and used by Administrators to perform maintenance on the servers. + The laptop used by *Journalists* to download encrypted documents + and respond to *Sources*, and used by administrators to perform maintenance on the servers. Operation --------- @@ -220,7 +220,7 @@ Setting up SecureDrop is a multi-step process. Before getting started, you should make sure that you're prepared to operate and maintain it. You'll need a systems admin who's familiar with Linux, the GNU utilities, and the Bash shell. You'll need the :doc:`hardware ` -on which SecureDrop runs — this will normally cost $2000-$3000. The journalists +on which SecureDrop runs — this will normally cost $2000-$3000. The *Journalists* in your organization will need to be trained in the operation of SecureDrop, and you'll need to publish and promote your new SecureDrop instance afterwards — using your existing websites, mailing lists, and social media. @@ -241,7 +241,7 @@ a week to :ref:`complete and test ` your setup. Provisioning & training ~~~~~~~~~~~~~~~~~~~~~~~ -Once SecureDrop is installed, journalists will need to be provided with +Once SecureDrop is installed, *Journalists* will need to be provided with accounts, two-factor credentials, workstations, and so on — and then :doc:`trained ` to use these tools safely and reliably. You will probably also need to train additional backup admins so that you can be sure that your SecureDrop setup keeps running even when your main admin is on holiday. @@ -271,13 +271,13 @@ SecureDrop *Landing Page* and our guide to Sharing access -------------- -With other journalists in your organization +With other *Journalists* in your organization ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While SecureDrop supports having multiple journalist accounts for the document interface, all accounts will access the same inbox. To avoid confusion, we -recommend news organizations assign 1-3 journalists to regularly check +recommend news organizations assign 1-3 *Journalists* to regularly check SecureDrop and make sure that they all are in contact as to who is responsible -for responding to each source. +for responding to each *Source*. With other organizations ~~~~~~~~~~~~~~~~~~~~~~~~ @@ -285,7 +285,7 @@ With other organizations Currently you cannot use SecureDrop with multiple organizations for security reasons. One of the benefits of SecureDrop is that it completely eliminates third parties from your communication channel. The media organization owns and -operates the server that both the source and journalist connect to. +operates the server that both the *Source* and *Journalist* connect to. Any legal request or order has to be served on the media organization operating the SecureDrop server, giving them a chance to challenge it before handing over diff --git a/docs/journalist/sources.rst b/docs/journalist/sources.rst index 82b7dca70..42328038c 100644 --- a/docs/journalist/sources.rst +++ b/docs/journalist/sources.rst @@ -90,10 +90,10 @@ You will be presented with a pop-up where you will be asked to confirm if you wo Click **Delete Conversation** to delete all files and messages (including journalist replies) associated with this source, while keeping the source account active. The source will continue to appear in the source list, and will be able to -communicate with you through the Source Interface. +communicate with you through the *Source Interface*. Click **Delete Account** to also remove the source from the source list, -and to prevent them from logging into the Source Interface. Their account will +and to prevent them from logging into the *Source Interface*. Their account will be completely removed from the system. .. |screenshot_sdapp_main_view| image:: ../images/screenshot_sdapp_main_view.png diff --git a/docs/source/before_you_submit.rst b/docs/source/before_you_submit.rst index c1a5c8a07..6222a4df7 100644 --- a/docs/source/before_you_submit.rst +++ b/docs/source/before_you_submit.rst @@ -45,7 +45,7 @@ Use Tor Browser Each SecureDrop may **only** be reached through the Tor Browser. SecureDrop pages are only available as *Onion Services*—encrypted web pages -that end in ".onion," and only the Tor browser is able to open these pages. +that end in ".onion," and only the Tor Browser is able to open these pages. Tor is an anonymizing network that makes it difficult for anybody observing the network to associate a user's identity (e.g., the computer's IP address) with From f76c7d601def75479f7b2911a7962014daac1633 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Thu, 18 Jun 2026 11:14:52 -0400 Subject: [PATCH 23/24] Fix those pesky underlines --- docs/appendices/threat_model/threat_model.rst | 14 +++++++------- docs/introduction/securedrop_workstation.rst | 2 +- docs/introduction/what_is_securedrop.rst | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/appendices/threat_model/threat_model.rst b/docs/appendices/threat_model/threat_model.rst index ef34d211c..2d5b94b37 100644 --- a/docs/appendices/threat_model/threat_model.rst +++ b/docs/appendices/threat_model/threat_model.rst @@ -148,7 +148,7 @@ Assumptions about the person installing SecureDrop organization, and for :doc:`installing SecureDrop `. Assumptions about the *Source*'s computer -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The computer correctly executes Tails or Tor Browser. - The computer is not compromised by malware. @@ -307,7 +307,7 @@ What a compromise of the workstations can surrender passphrase ` for that key. What a compromise of the *Source*'s property can surrender -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Use of `Tor Browser will leave traces `__ @@ -340,7 +340,7 @@ What a compromise of the *Source*'s property can surrender deleted. What a physical seizure of the *Source*'s property can surrender -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Document use of Tor or Tails, but not necessarily research into SecureDrop @@ -454,7 +454,7 @@ What a physical seizure of the admin's property can achieve allow the attacker to access both servers and the *Journalist Interface*. What a compromise of the *Journalist*'s property can achieve -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - To access the *Journalist Interface*, the attacker needs to obtain the *Journalist*'s login credentials and the *Journalist*'s *Two-Factor @@ -488,7 +488,7 @@ What a compromise of the *Journalist*'s property can achieve *Journalist* accounts. What a physical seizure of the *Journalist*'s property can achieve -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Tamper with the hardware. - Prevent the *Journalist* from working on SecureDrop for some period of @@ -643,7 +643,7 @@ What a physical seizure of the *Secure Viewing Station* can achieve is in use. What a local network attacker can achieve against the *Source*, admin, or *Journalist* -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A local network can observe when they are using Tor. - A local network can block Tor and prevent them from accessing @@ -654,7 +654,7 @@ What a local network attacker can achieve against the *Source*, admin, or *Journ difficult `__. What a global adversary can achieve against the *Source*, admin, or *Journalist* -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - A global adversary capable of observing all Internet traffic may have more luck than the local network attacker in deducing use of diff --git a/docs/introduction/securedrop_workstation.rst b/docs/introduction/securedrop_workstation.rst index cbaeb140e..81ce9b985 100644 --- a/docs/introduction/securedrop_workstation.rst +++ b/docs/introduction/securedrop_workstation.rst @@ -160,7 +160,7 @@ For more about the security features of Qubes, see .. _`the Qubes OS documentation`: https://www.qubes-os.org/faq/#general--security How does the security of this system compare to using an air-gapped *Secure Viewing Station*? -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The air-gapped *Secure Viewing Station* that is part of a SecureDrop setup offers strong protections against exfiltration of submissions or encryption keys by adversaries. It lacks diff --git a/docs/introduction/what_is_securedrop.rst b/docs/introduction/what_is_securedrop.rst index 326cd656e..cd1aa2edd 100644 --- a/docs/introduction/what_is_securedrop.rst +++ b/docs/introduction/what_is_securedrop.rst @@ -272,7 +272,7 @@ Sharing access -------------- With other *Journalists* in your organization -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While SecureDrop supports having multiple journalist accounts for the document interface, all accounts will access the same inbox. To avoid confusion, we recommend news organizations assign 1-3 *Journalists* to regularly check From 31c47b757ac2abfcc0e4f92b0bc659a0a6481375 Mon Sep 17 00:00:00 2001 From: "martin.c" Date: Wed, 24 Jun 2026 14:56:57 -0400 Subject: [PATCH 24/24] Title Case Daily Journalist Alerts --- docs/admin/installation/email_alerts.rst | 4 ++-- docs/admin/installation/install.rst | 4 ++-- docs/admin/maintenance/rebuild_admin.rst | 4 ++-- docs/appendices/threat_model/mitigations.rst | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/admin/installation/email_alerts.rst b/docs/admin/installation/email_alerts.rst index 1219b5797..1a53afab1 100644 --- a/docs/admin/installation/email_alerts.rst +++ b/docs/admin/installation/email_alerts.rst @@ -5,7 +5,7 @@ SecureDrop sends different alerts by PGP-encrypted email. Before installing Secu .. _daily_journalist_alerts: -Optional: Daily journalist alerts +Optional: Daily Journalist Alerts --------------------------------- When a SecureDrop has little activity and receives only a few submissions every other week, checking daily only to find there is nothing is a burden. It is more convenient for *Journalists* to be notified daily via encrypted email about whether or not there has been submission activity in the past 24 hours. @@ -34,7 +34,7 @@ If you wish to enable this, you will need: - the *Journalist Alert Public Key* - the *Journalist Alert Public Key* fingerprint -Daily journalist alerts can be configured during or after installation. +Daily Journalist Alerts can be configured during or after installation. .. _ossec_guide: diff --git a/docs/admin/installation/install.rst b/docs/admin/installation/install.rst index 9c0a708a3..d320bc27a 100644 --- a/docs/admin/installation/install.rst +++ b/docs/admin/installation/install.rst @@ -100,10 +100,10 @@ continuing: can add more later) - the username of the system admin -If configuring daily journalist alert emails (this is optional and can be configured later), you will also need: +If configuring Daily Journalist Alert emails (this is optional and can be configured later), you will also need: - the *Journalist Alert Public Key* - the *Journalist Alert Public Key* fingerprint -- the email address that will receive the daily journalist alerts +- the email address that will receive the Daily Journalist Alerts Localization of the *Source Interface* and *Journalist Interface* ----------------------------------------------------------------- diff --git a/docs/admin/maintenance/rebuild_admin.rst b/docs/admin/maintenance/rebuild_admin.rst index 608e3d7ad..e6a1008bf 100644 --- a/docs/admin/maintenance/rebuild_admin.rst +++ b/docs/admin/maintenance/rebuild_admin.rst @@ -271,7 +271,7 @@ using the command: curl http://$(cat /tmp/sourcev3)/metadata Next, note the OSSEC Alerts email address (``OSSEC_EMAIL``) and, if applicable, -the daily journalist alerts email address (``JOURNALIST_EMAIL``): +the Daily Journalist Alerts email address (``JOURNALIST_EMAIL``): .. code:: sh @@ -286,7 +286,7 @@ appropriate email address for ``alerts@example.com``): ssh mon sudo gpg --homedir=/var/ossec/.gnupg --export --armor alerts@example.com > ossec.pub gpg --import ossec.pub -If a daily journalist alerts address has been configured, repeat this step for the +If a Daily Journalist Alerts address has been configured, repeat this step for the *Journalist Alert Public Key*, naming it ``journalist.pub`` or similar. You will require the fingerprints for these keys during the next step, which you diff --git a/docs/appendices/threat_model/mitigations.rst b/docs/appendices/threat_model/mitigations.rst index b230a376a..f1413c21d 100644 --- a/docs/appendices/threat_model/mitigations.rst +++ b/docs/appendices/threat_model/mitigations.rst @@ -190,8 +190,8 @@ Attacks on network infrastructure - apt server man-in-the-middle used to serve old or malicious packages - SecureDrop apt servers are compromised, or apt server man-in-the middle attack injects malicious packages - News Organization network is compromised -- OSSEC and/or daily journalist alert SMTP account credentials compromised -- OSSEC and/or daily journalist alert private key compromised +- OSSEC and/or Daily Journalist Alert SMTP account credentials compromised +- OSSEC and/or Daily Journalist Alert private key compromised - SMTP relay compromised - Admin's network is monitored