Document VeraCrypt support and drive creation process

freedomofpress · Mar 18, 2024 · 57c0b3d · 57c0b3d
1 parent 9eb318e
commit 57c0b3d
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 13 deletions.
diff --git a/docs/admin/known_issues.rst b/docs/admin/known_issues.rst
@@ -24,13 +24,11 @@ Current known issues
   performance and reliability of the updater.
 - SecureDrop instances with very large numbers of sources may encounter
   UI performance issues. While performance improvements are on the roadmap,
-  `our recommendation <https://docs.securedrop.org/en/stable/admin/maintenance/backup_and_restore.html#minimizing-disk-use>`_ 
+  `our recommendation <https://docs.securedrop.org/en/stable/admin/maintenance/backup_and_restore.html#minimizing-disk-use>`_
   is to delete information from the servers as regularly as possible, both
   for performance and security reasons.
 - There is currently no mechanism for cancelling or retrying file downloads.
   This feature is planned.
-- Currently, only LUKS-encrypted *Export Devices* are supported. VeraCrypt support
-  will be added in a future release.
 - Printer support is limited to a specific HP printer model, and printing
   different file types is not as reliable yet as under Tails. Support for
   additional non-networked printers will be added in a future release.

diff --git a/docs/admin/provisioning_usb.rst b/docs/admin/provisioning_usb.rst
@@ -4,27 +4,28 @@ Provisioning Export USB devices
 .. include:: ../includes/top-warning.rst
 
 SecureDrop Workstation supports the export of submissions from the Qubes client
-to an encrypted USB *Export Device*. 
+to a LUKS- or VeraCrypt-encrypted USB *Export Device*.
 
-.. note:: Currently only LUKS-encrypted devices are supported,
-  which effectively restricts the *Export Device* to use with Linux-based
-  systems such as Tails. Support for Veracrypt-encrypted devices is planned,
-  which will allow the use of the *Export Device* with MacOS and Windows systems.
+Creating a LUKS-encrypted drive
+-------------------------------
 
-In order to provision an *Export Device* for use with SecureDrop Workstation,
+.. note:: LUKS-encrypted devices can only be used with Linux-based
+  systems such as Tails. For compatibility with macOS and Windows systems, use VeraCrypt.
+
+In order to provision a LUKS-encrypted *Export Device* for use with SecureDrop Workstation,
 you will need a fresh USB stick and a Linux-based system. Tails is recommended -
 if available, the *Secure Viewing Station* can be used, adding the extra benefit
 of its airgap:
 
-- First, boot into the *Secure Viewing Station*, without unlocking its 
-  persistent volume or setting an admin password. 
+- First, boot into the *Secure Viewing Station*, without unlocking its
+  persistent volume or setting an admin password.
 - Next, open the Disks utility: **Applications > Utilities > Disks**.
 - Connect the fresh USB stick and select it in the list in the left-hand panel.
 
 .. warning:: The formatting operation will wipe any data on an existing partition.
   Make sure that you select the correct device!
 
-- Click the interlocking gear icon under the drive volumes schematic in the 
+- Click the interlocking gear icon under the drive volumes schematic in the
   right-hand panel and choose **Format Partition...**.
 - Select the following options in the Format Volume dialog:
 
@@ -38,5 +39,43 @@ of its airgap:
   again. The formatting process should take only a few seconds.
 - Once formatting is complete, you will need to provide the *Export Device* and
   its decryption password to the SecureDrop Workstation users. Make sure that
-  they store it and its password securely, as it will contain decrypted 
+  they store it and its password securely, as it will contain decrypted
+  submissions.
+
+Creating a VeraCrypt-encrypted drive
+------------------------------------
+
+- If it isn't already done, download and install the `VeraCrypt software <https://www.veracrypt.fr/en/Home.html>`_.
+- Start VeraCrypt from your computer's application or software interface.
+- Click **Create Volume**
+- Select **Encrypt a non-system partition/drive** and click **Next**.
+- Select **Standard VeraCrypt volume** and click **Next**
+- Connect your fresh USB stick and click **Select Device...** to choose your USB.
+.. warning:: The formatting operation will wipe any data on an existing partition.
+  Make sure that you select the correct device!
+
+  - You may see a warning that says "We strongly recommend that inexperienced
+    users create a VeraCrypt file container on the selected device/partition,
+    instead of attempting to encrypt the entire device/partition." Click **Yes**.
+  - Click **Next** to advance.
+- You will be prompted to set a password. This password
+  should be strong - a 6-word `Diceware <https://en.wikipedia.org/wiki/Diceware>`_
+  passphrase is highly recommended.
+- You will be asked if you need to store large files, select **No** and click **Next**.
+- Select the following options in the Volume Format dialog:
+
+  - Filesystem: FAT
+  - Quick Format: unselected
+- Click **Next**. VeraCrypt will now collect entropy from your mouse movements.
+  Randomly move your mouse cursor around the screen until the progress bar is filled up.
+  Then click **Format**.
+
+  - You will be reminded that all files on the device will be erased and lost and given
+    a final confirmation to begin. Click **Yes**.
+- Wait until VeraCrypt says "The VeraCrypt volume has been successfully created." Until
+  this pops up, it may look like the program is frozen, but it's running in the background.
+- Click **OK** and then **Exit** to finish formatting process.
+- Once formatting is complete, you will need to provide the *Export Device* and
+  its decryption password to the SecureDrop Workstation users. Make sure that
+  they store it and its password securely, as it will contain decrypted
   submissions.