Requirement for passphrase-less submission keys

docs/admin/install/install.rst

@@ -4,7 +4,12 @@ Installing SecureDrop Workstation
 Copy the submission key
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-In order to decrypt submissions, your SecureDrop Workstation will need a copy of the secret key from your SecureDrop instance's SVS. To protect this key and preserve the air gap, you will need to connect the SVS USB to a Qubes VM with no network access, and copy it from there to ``dom0``. Note that you cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below to copy the file into ``dom0``:
+In order to decrypt submissions, your SecureDrop Workstation will need a copy of the secret key from your SecureDrop instance's SVS.
+
+.. note::
+   Secret submission keys that are password-protected will need to have their password removed in order for SecureDrop Workstation to function properly. To export a copy that does not require a passphrase, see :doc:`/admin/reference/removing_gpg_passphrase`.
+
+To protect this key and preserve the air gap, you will need to connect the SVS USB to a Qubes VM with no network access, and copy it from there to ``dom0``. Note that you cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below to copy the file into ``dom0``:
 
 - First, use the network manager widget in the upper right panel to disable your network connection. These instructions refer to the ``vault`` VM, which has no network access by default, but if the SVS USB is attached to another VM by mistake, this will offer some protection against exfiltration.
 

docs/admin/reference/removing_gpg_passphrase.rst

@@ -0,0 +1,42 @@
+Removing the Passphrase from a GPG Key
+======================================
+
+First, in a ``dom0`` terminal on your Qubes workstation (Qubes Menu > ⚙️  > Other > Xfce Terminal) and assuming the key is in a file ``sd-journalist.sec`` in your home directory, import the passphrase-protected secret key:
+
+.. code-block:: sh
+
+  export GPGTMP=`mktemp -d`    # create a tempdir
+  gpg --homedir=${GPGTMP} --pinentry=loopback --import sd-journalist.sec    
+
+Next, check the key id:
+
+.. code-block:: sh
+
+  gpg --homedir=${GPGTMP} --list-secret-keys --keyid-format=long
+
+The output should list the key with a line similar to:
+
+.. code-block:: sh
+
+  sec   rsa4096/XXXXXXXXXX <creation date>    
+
+The ``XXXXXXXXXX`` value is the key id, which you can use to open the key in edit mode with the following command:
+
+.. code-block:: sh
+
+  gpg --homedir=${GPGTMP} --pinentry=loopback --edit-key XXXXXXXXXX
+
+In the GPG interactive prompt, enter the command ``passwd`` to change the passphrase. You will first be prompted for the current passphrase, so enter that. Then, on the next prompt, just hit enter for a new blank passphrase, and enter again when prompted to repeat it. Then exit with the command ``quit``.
+
+You should now have a passphrase-less version of the key in the $GPGTMP keyring. To export it, use the following command with the same key id as above:
+
+.. code-block:: sh
+
+  gpg --homedir=${GPGTMP} --export-secret-key --armor XXXXXXXXXX > /tmp/nopassphrase.sec
+
+Verify that the new keyfile ``/tmp/nopassphrase.sec`` starts with the ``-----BEGIN PGP PRIVATE KEY BLOCK-----`` line. If it does, the export was successful. You can now copy it into place and check the config again with the commands:
+
+.. code-block:: sh
+
+  sudo cp /tmp/nopassphrase.sec /usr/share/securedrop-workstation-dom0-config/sd-journalist.sec
+  sdw-admin --validate

docs/index.rst

@@ -56,6 +56,7 @@ against malware and other security risks. It is built on Qubes OS and requires a
    admin/reference/troubleshooting_updates
    admin/reference/provisioning_usb
    admin/reference/backup
+   admin/reference/removing_gpg_passphrase
 
 * :ref:`genindex`
 * :ref:`search`