From 711838decd94d03347ee7cf42aac3daee77d6cc4 Mon Sep 17 00:00:00 2001 From: Cory Francis Myers Date: Wed, 16 Aug 2023 18:25:55 -0700 Subject: [PATCH 1/6] eliminate a round trip between existing and new Admin Workstations during onboarding By using ssh-add before ssh-copy-id on the new Admin Workstation 2 (AW2), all steps once Tails is installed on AW2 can take place on AW2 with the existing Admin Workstation 1 (AW1) unlocked, rather than running some steps on AW2 with AW1 unlocked and some steps on AW1 with AW2 unlocked. This adds a couple of shell commands (a possible source of error) but removes 5 steps and some shuffling of thumb drives (a different possible source of error). Assumptions: * If we trust AW2 to have AW1 unlocked, then we trust AW2 to load AW1's SSH private key into memory and use it to connect to the Application and Monitor Servers, in order to upload AW2's own SSH public key. * In other words, each Admin Workstation has its own keypair to allow revocation of individual keys, not because a given Admin Workstation or its owner cannot be trusted to have access to another Admin Workstation's full keypair (in a procedure in which, in fact, they *do* have such access). --- docs/admin/deployment/onboarding_admins.rst | 68 ++++++++++----------- 1 file changed, 32 insertions(+), 36 deletions(-) diff --git a/docs/admin/deployment/onboarding_admins.rst b/docs/admin/deployment/onboarding_admins.rst index 2d55febae..2412c9628 100644 --- a/docs/admin/deployment/onboarding_admins.rst +++ b/docs/admin/deployment/onboarding_admins.rst @@ -31,60 +31,56 @@ To set up AW2, follow these steps: and `set an admin password on the welcome screen `__ 2. Ensure that Tails and the SecureDrop version on AW1 are up-to-date. If not, update now by following the :ref:`most recent upgrade guide `. -3. Insert the empty AW2 USB drive. -4. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**) and install Tails on AW2. +3. Log into the *Journalist Interface* using your admin credentials, and create + a new user account with admin rights. Record its passphrase securely; + you will add it to the password manager on AW2. + + (You will need to on-board the new admin's 2FA device to complete this step. + If this is not possible yet, you can defer it until later.) +4. Insert the empty AW2 USB drive. +5. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**) and install Tails on AW2. This will delete all data on the AW2 USB drive. -5. Shut down AW1. -6. Boot AW2. -7. Configure its persistent volume (**Applications ▸ Tails ▸ Configure persistent volume**). +6. Shut down AW1. +7. Boot AW2. +8. Configure its persistent volume (**Applications ▸ Tails ▸ Configure persistent volume**). Set a unique passphrase for AW2 and record it securely. Enable all persistence options. -8. Reboot AW2, unlock its persistent volume, and set an admin password on the welcome screen. -9. Open the file manager (**Applications ▸ Accessories ▸ Files**). -10. Insert AW1. It should show up in the list of storage devices in the file manager under +9. Reboot AW2, unlock its persistent volume, and set an admin password on the welcome screen. +10. Open the file manager (**Applications ▸ Accessories ▸ Files**). +11. Insert AW1. It should show up in the list of storage devices in the file manager under a label like "7.0 GB Encrypted". Click the label and enter the drive password when prompted to unlock it. -11. In a terminal, type the following command: +12. In a terminal, type the following command: ``rsync -a /media/amnesia/TailsData/Persistent/securedrop ~/Persistent`` This will copy *only* the ``securedrop`` directory from AW1 to AW2. -12. Generate a new keypair on AW2 using the following command: +13. Generate a new keypair on AW2 using the following command: ``ssh-keygen -t rsa -b 4096`` When prompted, store the keypair in the default location. -13. Shut down AW2. -14. Boot AW1, unlock its persistent volume, and set an admin password on - the welcome screen. -15. Open the file manager (**Applications ▸ Accessories ▸ Files**). -16. Insert AW2 and unlock it. -17. In a terminal, type the following commands to authorize the newly created SSH keypair - on your servers: - - ``ssh-copy-id -i /media/amnesia/TailsData/openssh-client/id_rsa.pub app`` - ``ssh-copy-id -i /media/amnesia/TailsData/openssh-client/id_rsa.pub mon`` -18. Log into the *Journalist Interface* using your admin credentials, and create - a new user account with admin rights. Record its passphrase securely; - you will add it to the password manager on AW2. - - (You will need to on-board the new admin's 2FA device to complete this step. - If this is not possible yet, you can defer it until later.) -19. Shut down AW1. -20. Boot AW2, unlock its persistent volume, and set an admin password - on the welcome screen. -21. Boot into AW2 and run the command ``./securedrop-admin tailsconfig`` in - ``~/Persistent/securedrop``. +14. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``. This will set up desktop shortcuts and SSH access. -22. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``). -23. Confirm that you are able to access the *Source Interface* and the *Journalist +15. Insert AW1. It should show up in the list of storage devices in the file manager under + a label like "7.0 GB Encrypted". Click the label and enter the drive + password when prompted to unlock it. +16. In a terminal, type the following commands to authorize the newly created SSH keypair + on your servers: + ``ssh-add`` + ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa`` + ``ssh-copy-id app`` + ``ssh-copy-id mon`` + ``ssh-add -D`` +17. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``). +18. Confirm that you are able to access the *Source Interface* and the *Journalist Interface* using the desktop shortcuts. -24. :ref:`Initialize a passphrase database ` on AW2. +19. :ref:`Initialize a passphrase database ` on AW2. Store the admin account details using KeePassXC, and other account information this admin will need in the course of administering this system. -25. Shut down AW2. -26. :doc:`Back up AW2 <../maintenance/backup_workstations>`. +20. Shut down AW2. +21. :doc:`Back up AW2 <../maintenance/backup_workstations>`. You can now provide AW2 to the new administrator. Ensure that they store the disk encryption passphrase in a secure manner: in most configurations, it is the From 972069b581a3af0b2c0bffc0464a0c6af242173d Mon Sep 17 00:00:00 2001 From: Nathan Dyer Date: Thu, 24 Aug 2023 15:09:56 -0400 Subject: [PATCH 2/6] Modify admin onboarding workflow based on new Tails Persistent Storage copying options. --- docs/admin/deployment/onboarding_admins.rst | 43 +++++++++------------ 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/docs/admin/deployment/onboarding_admins.rst b/docs/admin/deployment/onboarding_admins.rst index 2412c9628..3918e2ab3 100644 --- a/docs/admin/deployment/onboarding_admins.rst +++ b/docs/admin/deployment/onboarding_admins.rst @@ -38,49 +38,42 @@ To set up AW2, follow these steps: (You will need to on-board the new admin's 2FA device to complete this step. If this is not possible yet, you can defer it until later.) 4. Insert the empty AW2 USB drive. -5. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**) and install Tails on AW2. - This will delete all data on the AW2 USB drive. -6. Shut down AW1. -7. Boot AW2. -8. Configure its persistent volume (**Applications ▸ Tails ▸ Configure persistent volume**). - Set a unique passphrase for AW2 and record it securely. Enable all persistence options. -9. Reboot AW2, unlock its persistent volume, and set an admin password on the welcome screen. -10. Open the file manager (**Applications ▸ Accessories ▸ Files**). -11. Insert AW1. It should show up in the list of storage devices in the file manager under - a label like "7.0 GB Encrypted". Click the label and enter the drive - password when prompted to unlock it. -12. In a terminal, type the following command: - - ``rsync -a /media/amnesia/TailsData/Persistent/securedrop ~/Persistent`` - - This will copy *only* the ``securedrop`` directory from AW1 to AW2. -13. Generate a new keypair on AW2 using the following command: +5. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**). + Select the option to **Clone the current Tails.** This will delete all data on the AW2 USB drive. +6. Check the box marked **Clone the current Persistent Storage.** +7. Click **Install**. +8. Choose a unique passphrase for AW2 and record it securely. +9. Shut down AW1. +10. Boot AW2, set an Admin password on the welcome screen, unlock the Persistent Storage, and + enable all the options in the Persistent Storage settings. +11. Record the new passphrase for AW2 securely. +12. Generate a new keypair on AW2 using the following command: ``ssh-keygen -t rsa -b 4096`` When prompted, store the keypair in the default location. -14. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``. +13. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``. This will set up desktop shortcuts and SSH access. -15. Insert AW1. It should show up in the list of storage devices in the file manager under +14. Insert AW1. It should show up in the list of storage devices in the file manager under a label like "7.0 GB Encrypted". Click the label and enter the drive password when prompted to unlock it. -16. In a terminal, type the following commands to authorize the newly created SSH keypair +15. In a terminal, type the following commands to authorize the newly created SSH keypair on your servers: ``ssh-add`` ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa`` ``ssh-copy-id app`` ``ssh-copy-id mon`` ``ssh-add -D`` -17. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``). -18. Confirm that you are able to access the *Source Interface* and the *Journalist +16. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``). +17. Confirm that you are able to access the *Source Interface* and the *Journalist Interface* using the desktop shortcuts. -19. :ref:`Initialize a passphrase database ` on AW2. +18. :ref:`Initialize a passphrase database ` on AW2. Store the admin account details using KeePassXC, and other account information this admin will need in the course of administering this system. -20. Shut down AW2. -21. :doc:`Back up AW2 <../maintenance/backup_workstations>`. +19. Shut down AW2. +20. :doc:`Back up AW2 <../maintenance/backup_workstations>`. You can now provide AW2 to the new administrator. Ensure that they store the disk encryption passphrase in a secure manner: in most configurations, it is the From 4ae52eb56ff11a2a50ff13f11a49987d85375430 Mon Sep 17 00:00:00 2001 From: Nathan Dyer Date: Thu, 24 Aug 2023 15:20:53 -0400 Subject: [PATCH 3/6] Document process for making remote SVS using the Tails Persistent Storage copy options. --- docs/admin/deployment/remote.rst | 54 +++++++++++--------------------- 1 file changed, 18 insertions(+), 36 deletions(-) diff --git a/docs/admin/deployment/remote.rst b/docs/admin/deployment/remote.rst index a931b5788..468b6253d 100644 --- a/docs/admin/deployment/remote.rst +++ b/docs/admin/deployment/remote.rst @@ -96,9 +96,6 @@ In order to create a new SVS for remote use, you will need the following: and microphones. A computer used as an SVS should never be used for any other purpose. -* An up-to-date Tails USB (the primary Tails USB). You do not need to set up - persistent storage on this device, as it will not be used during the SVS - setup process. * The current SVS USB, and its persistent volume’s passphrase * A USB key to act as the new SVS USB @@ -107,38 +104,23 @@ Creating New SVS USB Drives To create the new SVS USB: -1. Boot into Tails using the primary Tails USB on the air-gapped workstation. - When you see the welcome dialog, you can proceed without enabling persistence - or setting an admin password. -2. Install Tails on the new SVS USB, following the instructions - `here. `_ -3. Boot into the new SVS USB and enable persistence with a strong passphrase - (a 6-word Diceware passphrase is recommended). In the Persistent volume - configuration wizard, be sure to enable persistence for “GnuPG - GnuPG - Keyrings and configuration”. -4. Temporarily store the persistent volume passphrase in your password manager. - You should delete it once you have given the USB and passphrase to the - journalist who will be using them. -5. Reboot the new SVS USB with persistence enabled and an administration - password set. -6. Plug the current SVS USB into a free port on the workstation. -7. Mount its persistent volume by browsing to Places > Computer, clicking - the USB disk in the left-hand column, and entering its persistent volume’s - passphrase. -8. Open a terminal via Applications > Favorites > Terminal -9. Copy the current SVS’s GPG keychain (which includes the *Submission Key*) to - the new SVS USB using the following command (without linebreaks): - - .. code:: sh - - sudo bash -c "rsync -a --no-specials --no-devices \ - /media/amnesia/TailsData/gnupg/ \ - /live/persistence/TailsData_unlocked/gnupg/" - - -10. Eject and remove the current SVS USB. -11. Verify that the *Submission Key* is present with the correct fingerprint on - the new SVS USB via Applications > Utilities > Passwords and Keys. +1. Boot into the current SVS using the air-gapped workstation. + When you see the welcome dialog, unlock the persistent storage + volume. +2. Insert the new (empty) SVS USB. +3. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**). + Select the option to **Clone the current Tails**. + This will delete any data on the new SVS drive. +4. Check the box marked **Clone the current Persistent Storage**. +5. Click **Install**. +6. Choose a strong new passphrase for the new Persistent Storage Volume + (a 6-word Diceware passphrase is recommended) and record it securely. +7. After the process is complete, power off the SVS. +8. Boot to the new SVS USB, unlock the Persistent Storage, and + enable all the options in the Persistent Storage settings. +9. Verify that the *Submission Key* is present with the correct fingerprint on + the new SVS USB via Applications > Utilities > Passwords and Keys. + The new SVS should now be ready for use. The journalist that will be checking submissions will need the new SVS USB, its Persistent Volume passphrase, and @@ -224,4 +206,4 @@ your SecureDrop instance, we recommend the following steps: In most cases, restoring the instance, whether in their original hosting location or elsewhere, is a matter of reconnecting the servers to the firewall, attaching a WAN connection that allows unfiltered access to Tor to -the firewall WAN port, and powering everything on. \ No newline at end of file +the firewall WAN port, and powering everything on. From f7b6b1bed2d30a6c6d1a9392e748819c7291379a Mon Sep 17 00:00:00 2001 From: Nathan Dyer Date: Wed, 6 Sep 2023 10:32:53 -0400 Subject: [PATCH 4/6] Replace references to the Tails Installer with Tails Cloner --- docs/admin/deployment/onboarding_admins.rst | 38 +++++++++------------ docs/admin/deployment/remote.rst | 2 +- 2 files changed, 17 insertions(+), 23 deletions(-) diff --git a/docs/admin/deployment/onboarding_admins.rst b/docs/admin/deployment/onboarding_admins.rst index 3918e2ab3..2826f978e 100644 --- a/docs/admin/deployment/onboarding_admins.rst +++ b/docs/admin/deployment/onboarding_admins.rst @@ -38,42 +38,36 @@ To set up AW2, follow these steps: (You will need to on-board the new admin's 2FA device to complete this step. If this is not possible yet, you can defer it until later.) 4. Insert the empty AW2 USB drive. -5. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**). +5. Launch the Tails Cloner (**Applications ▸ Tails ▸ Tails Cloner**). Select the option to **Clone the current Tails.** This will delete all data on the AW2 USB drive. 6. Check the box marked **Clone the current Persistent Storage.** 7. Click **Install**. 8. Choose a unique passphrase for AW2 and record it securely. 9. Shut down AW1. -10. Boot AW2, set an Admin password on the welcome screen, unlock the Persistent Storage, and - enable all the options in the Persistent Storage settings. -11. Record the new passphrase for AW2 securely. +10. Boot AW2 and unlock the Persistent Storage. +11. Open the KeePassXC database, remove any unneeded credentials from AW1, and store + the new account credentials you created in step 3. 12. Generate a new keypair on AW2 using the following command: ``ssh-keygen -t rsa -b 4096`` When prompted, store the keypair in the default location. -13. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``. +12. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``. This will set up desktop shortcuts and SSH access. -14. Insert AW1. It should show up in the list of storage devices in the file manager under - a label like "7.0 GB Encrypted". Click the label and enter the drive - password when prompted to unlock it. -15. In a terminal, type the following commands to authorize the newly created SSH keypair +13. In a terminal, type the following commands to authorize the newly created SSH keypair on your servers: - ``ssh-add`` - ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa`` - ``ssh-copy-id app`` - ``ssh-copy-id mon`` - ``ssh-add -D`` -16. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``). -17. Confirm that you are able to access the *Source Interface* and the *Journalist + + * ``ssh-add`` + * ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa`` + * ``ssh-copy-id app`` + * ``ssh-copy-id mon`` + * ``ssh-add -D`` +14. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``). +15. Confirm that you are able to access the *Source Interface* and the *Journalist Interface* using the desktop shortcuts. -18. :ref:`Initialize a passphrase database ` on AW2. - Store the admin account details using KeePassXC, and other account - information this admin will need in the course of administering this - system. -19. Shut down AW2. -20. :doc:`Back up AW2 <../maintenance/backup_workstations>`. +16. Shut down AW2. +17. :doc:`Back up AW2 <../maintenance/backup_workstations>`. You can now provide AW2 to the new administrator. Ensure that they store the disk encryption passphrase in a secure manner: in most configurations, it is the diff --git a/docs/admin/deployment/remote.rst b/docs/admin/deployment/remote.rst index 468b6253d..8bdf51df0 100644 --- a/docs/admin/deployment/remote.rst +++ b/docs/admin/deployment/remote.rst @@ -108,7 +108,7 @@ To create the new SVS USB: When you see the welcome dialog, unlock the persistent storage volume. 2. Insert the new (empty) SVS USB. -3. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**). +3. Launch the Tails Cloner (**Applications ▸ Tails ▸ Tails Cloner**). Select the option to **Clone the current Tails**. This will delete any data on the new SVS drive. 4. Check the box marked **Clone the current Persistent Storage**. From 18edb46eeb7f8093e6f99688f3fec3064385f199 Mon Sep 17 00:00:00 2001 From: Nathan Dyer Date: Mon, 7 Oct 2024 16:12:30 -0400 Subject: [PATCH 5/6] Document clearing KeePassXC recycle bin --- docs/admin/deployment/onboarding_admins.rst | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/admin/deployment/onboarding_admins.rst b/docs/admin/deployment/onboarding_admins.rst index 4123511c1..38499e346 100644 --- a/docs/admin/deployment/onboarding_admins.rst +++ b/docs/admin/deployment/onboarding_admins.rst @@ -33,7 +33,7 @@ To set up AW2, follow these steps: If not, update now by following the :ref:`most recent upgrade guide `. 3. Log into the *Journalist Interface* using your admin credentials, and create a new user account with admin rights. Record its passphrase securely; - you will add it to the password manager on AW2. + you will add it to the password manager on AW2 in step 11. (You will need to on-board the new admin's 2FA device to complete this step. If this is not possible yet, you can defer it until later.) @@ -42,11 +42,14 @@ To set up AW2, follow these steps: Select the option to **Clone the current Tails.** This will delete all data on the AW2 USB drive. 6. Check the box marked **Clone the current Persistent Storage.** 7. Click **Install**. -8. Choose a unique passphrase for AW2 and record it securely. +8. Choose a unique passphrase for the new Persistent Storage Volume on AW2 + (a 6-word Diceware passphrase is recommended) and record it securely. 9. Shut down AW1. 10. Boot AW2 and unlock the Persistent Storage. -11. Open the KeePassXC database, remove any unneeded credentials from AW1, and store - the new account credentials you created in step 3. +11. Open the KeePassXC database, delete unneeded credentials from AW1, + right-click the **Recycle Bin** item under **Root** in the KeePassXC sidebar, + and select **Empty recycle bin**. Then, store the new account credentials you + created in step 3. 12. Generate a new keypair on AW2 using the following command: ``ssh-keygen -t rsa -b 4096`` @@ -54,7 +57,7 @@ To set up AW2, follow these steps: When prompted, store the keypair in the default location. 13. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``. - This will set up desktop shortcuts and SSH access. + This will set up the *SecureDrop Menu* and SSH access. 14. In a terminal, type the following commands to authorize the newly created SSH keypair on your servers: From 86f5d8ef892cb85045336e2030c5178d48e1680c Mon Sep 17 00:00:00 2001 From: Nathan Dyer Date: Fri, 15 Nov 2024 15:44:06 -0500 Subject: [PATCH 6/6] Add steps for mounting AW1 to fix AW2 SSH operations --- docs/admin/deployment/onboarding_admins.rst | 22 +++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/docs/admin/deployment/onboarding_admins.rst b/docs/admin/deployment/onboarding_admins.rst index 38499e346..53c98343b 100644 --- a/docs/admin/deployment/onboarding_admins.rst +++ b/docs/admin/deployment/onboarding_admins.rst @@ -58,14 +58,20 @@ To set up AW2, follow these steps: 13. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``. This will set up the *SecureDrop Menu* and SSH access. -14. In a terminal, type the following commands to authorize the newly created SSH keypair - on your servers: - - * ``ssh-add`` - * ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa`` - * ``ssh-copy-id app`` - * ``ssh-copy-id mon`` - * ``ssh-add -D`` +14. + + a. Insert AW1. It should show up in the list of storage devices in the file manager under + a label like "7.0 GB Encrypted". Click the label and enter the drive + password when prompted to unlock it. + b. In a terminal, type the following commands to authorize the newly created SSH keypair + on your servers: + + * ``ssh-add`` + * ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa`` + * ``ssh-copy-id app`` + * ``ssh-copy-id mon`` + * ``ssh-add -D`` + c. From the file manager (**Applications ▸ Accessories ▸ Files**), eject AW1. 15. Confirm that you are able to access ``mon`` and ``app`` via SSH. The following commands should produce the following output::