diff --git a/docs/admin/install/install.rst b/docs/admin/install/install.rst index 0b4cac5..17be19f 100644 --- a/docs/admin/install/install.rst +++ b/docs/admin/install/install.rst @@ -4,7 +4,12 @@ Installing SecureDrop Workstation Copy the submission key ~~~~~~~~~~~~~~~~~~~~~~~ -In order to decrypt submissions, your SecureDrop Workstation will need a copy of the secret key from your SecureDrop instance's SVS. To protect this key and preserve the air gap, you will need to connect the SVS USB to a Qubes VM with no network access, and copy it from there to ``dom0``. Note that you cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below to copy the file into ``dom0``: +In order to decrypt submissions, your SecureDrop Workstation will need a copy of the secret key from your SecureDrop instance's SVS. + +.. note:: + Secret submission keys that are password-protected will need to have their password removed in order for SecureDrop Workstation to function properly. To export a copy that does not require a passphrase, see :doc:`/admin/reference/removing_gpg_passphrase`. + +To protect this key and preserve the air gap, you will need to connect the SVS USB to a Qubes VM with no network access, and copy it from there to ``dom0``. Note that you cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below to copy the file into ``dom0``: - First, use the network manager widget in the upper right panel to disable your network connection. These instructions refer to the ``vault`` VM, which has no network access by default, but if the SVS USB is attached to another VM by mistake, this will offer some protection against exfiltration. diff --git a/docs/admin/reference/removing_gpg_passphrase.rst b/docs/admin/reference/removing_gpg_passphrase.rst new file mode 100644 index 0000000..5852c2d --- /dev/null +++ b/docs/admin/reference/removing_gpg_passphrase.rst @@ -0,0 +1,42 @@ +Removing the Passphrase from a GPG Key +====================================== + +First, in a ``dom0`` terminal on your Qubes workstation (Qubes Menu > ⚙️ > Other > Xfce Terminal) and assuming the key is in a file ``sd-journalist.sec`` in your home directory, import the passphrase-protected secret key: + +.. code-block:: sh + + export GPGTMP=`mktemp -d` # create a tempdir + gpg --homedir=${GPGTMP} --pinentry=loopback --import sd-journalist.sec + +Next, check the key id: + +.. code-block:: sh + + gpg --homedir=${GPGTMP} --list-secret-keys --keyid-format=long + +The output should list the key with a line similar to: + +.. code-block:: sh + + sec rsa4096/XXXXXXXXXX + +The ``XXXXXXXXXX`` value is the key id, which you can use to open the key in edit mode with the following command: + +.. code-block:: sh + + gpg --homedir=${GPGTMP} --pinentry=loopback --edit-key XXXXXXXXXX + +In the GPG interactive prompt, enter the command ``passwd`` to change the passphrase. You will first be prompted for the current passphrase, so enter that. Then, on the next prompt, just hit enter for a new blank passphrase, and enter again when prompted to repeat it. Then exit with the command ``quit``. + +You should now have a passphrase-less version of the key in the $GPGTMP keyring. To export it, use the following command with the same key id as above: + +.. code-block:: sh + + gpg --homedir=${GPGTMP} --export-secret-key --armor XXXXXXXXXX > /tmp/nopassphrase.sec + +Verify that the new keyfile ``/tmp/nopassphrase.sec`` starts with the ``-----BEGIN PGP PRIVATE KEY BLOCK-----`` line. If it does, the export was successful. You can now copy it into place and check the config again with the commands: + +.. code-block:: sh + + sudo cp /tmp/nopassphrase.sec /usr/share/securedrop-workstation-dom0-config/sd-journalist.sec + sdw-admin --validate diff --git a/docs/index.rst b/docs/index.rst index 7dd408f..e131a09 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -56,6 +56,7 @@ against malware and other security risks. It is built on Qubes OS and requires a admin/reference/troubleshooting_updates admin/reference/provisioning_usb admin/reference/backup + admin/reference/removing_gpg_passphrase * :ref:`genindex` * :ref:`search`