Document VeraCrypt support and drive creation process

docs/admin/known_issues.rst

@@ -24,13 +24,11 @@ Current known issues
   performance and reliability of the updater.
 - SecureDrop instances with very large numbers of sources may encounter
   UI performance issues. While performance improvements are on the roadmap,
-  `our recommendation <https://docs.securedrop.org/en/stable/admin/maintenance/backup_and_restore.html#minimizing-disk-use>`_ 
+  `our recommendation <https://docs.securedrop.org/en/stable/admin/maintenance/backup_and_restore.html#minimizing-disk-use>`_
   is to delete information from the servers as regularly as possible, both
   for performance and security reasons.
 - There is currently no mechanism for cancelling or retrying file downloads.
   This feature is planned.
-- Currently, only LUKS-encrypted *Export Devices* are supported. VeraCrypt support
-  will be added in a future release.
 - Printer support is limited to a specific HP printer model, and printing
   different file types is not as reliable yet as under Tails. Support for
   additional non-networked printers will be added in a future release.

docs/admin/provisioning_usb.rst

@@ -4,27 +4,28 @@ Provisioning Export USB devices
 .. include:: ../includes/top-warning.rst
 
 SecureDrop Workstation supports the export of submissions from the Qubes client
-to an encrypted USB *Export Device*. 
+to a LUKS- or VeraCrypt-encrypted USB *Export Device*.
 
-.. note:: Currently only LUKS-encrypted devices are supported,
-  which effectively restricts the *Export Device* to use with Linux-based
-  systems such as Tails. Support for Veracrypt-encrypted devices is planned,
-  which will allow the use of the *Export Device* with MacOS and Windows systems.
+Creating a LUKS-encrypted drive
+-------------------------------
 
-In order to provision an *Export Device* for use with SecureDrop Workstation,
+.. note:: LUKS-encrypted devices can only be used with Linux-based
+  systems such as Tails. For compatibility with macOS and Windows systems, use VeraCrypt.
+
+In order to provision a LUKS-encrypted *Export Device* for use with SecureDrop Workstation,
 you will need a fresh USB stick and a Linux-based system. Tails is recommended -
 if available, the *Secure Viewing Station* can be used, adding the extra benefit
 of its airgap:
 
-- First, boot into the *Secure Viewing Station*, without unlocking its 
-  persistent volume or setting an admin password. 
+- First, boot into the *Secure Viewing Station*, without unlocking its
+  persistent volume or setting an admin password.
 - Next, open the Disks utility: **Applications > Utilities > Disks**.
 - Connect the fresh USB stick and select it in the list in the left-hand panel.
 
 .. warning:: The formatting operation will wipe any data on an existing partition.
   Make sure that you select the correct device!
 
-- Click the interlocking gear icon under the drive volumes schematic in the 
+- Click the interlocking gear icon under the drive volumes schematic in the
   right-hand panel and choose **Format Partition...**.
 - Select the following options in the Format Volume dialog:
 
@@ -38,5 +39,46 @@ of its airgap:
   again. The formatting process should take only a few seconds.
 - Once formatting is complete, you will need to provide the *Export Device* and
   its decryption password to the SecureDrop Workstation users. Make sure that
-  they store it and its password securely, as it will contain decrypted 
+  they store it and its password securely, as it will contain decrypted
+  submissions.
+
+Creating a VeraCrypt-encrypted drive
+------------------------------------
+
+- If it isn't already done, download and install the `VeraCrypt software <https://www.veracrypt.fr/en/Home.html>`_.
+- Start VeraCrypt from your computer's application or software interface.
+- Click **Create Volume**
+- Select **Encrypt a non-system partition/drive** and click **Next**.
+- Select **Standard VeraCrypt volume** and click **Next**
+- Connect your fresh USB stick and click **Select Device...** to choose your USB.
+
+  - You may see a warning that says "We strongly recommend that inexperienced
+    users create a VeraCrypt file container on the selected device/partition,
+    instead of attempting to encrypt the entire device/partition." We disagree with
+    this recommendation, so click **Yes**.
+  - Click **Next** to advance.
+
+.. warning:: The formatting operation will wipe any data on an existing partition.
+  Make sure that you select the correct device!
+
+- You will be prompted to set a password. This password
+  should be strong - a 6-word `Diceware <https://en.wikipedia.org/wiki/Diceware>`_
+  passphrase is highly recommended.
+- You will be asked if you need to store large files, select **No** and click **Next**.
+- Select the following options in the Volume Format dialog:
+
+  - Filesystem: FAT
+  - Quick Format: unselected
+- Click **Next**. VeraCrypt will now collect entropy from your mouse movements.
+  Randomly move your mouse cursor around the screen until the progress bar is filled up.
+  Then click **Format**.
+
+  - You will be reminded that all files on the device will be erased and lost and given
+    a final confirmation to begin. Click **Yes**.
+- Wait until VeraCrypt says "The VeraCrypt volume has been successfully created." Until
+  this pops up, it may look like the program is frozen, but it's running in the background.
+- Click **OK** and then **Exit** to finish formatting process.
+- Once formatting is complete, you will need to provide the *Export Device* and
+  its decryption password to the SecureDrop Workstation users. Make sure that
+  they store it and its password securely, as it will contain decrypted
   submissions.

docs/journalist/submissions.rst

@@ -56,26 +56,35 @@ administrator. The printer must be plugged into the computer's USB port.
 Exporting to an Export USB
 --------------------------
 
-Currently, a LUKS-encrypted USB drive is required for exporting submissions. A
-Linux-based system such as Tails is required to configure and use a LUKS-encrypted
-drive, meaning that for the time being, you will only be able to
-export to a Linux environment where these drives can be read. For assistance
-with this, see your SecureDrop administrator.
+Currently, a LUKS- or VeraCrypt-encrypted USB drive is required for exporting submissions.
 
-Once you have provisioned a LUKS-encrypted export drive, insert the drive and
-click **Export**.
+1. Insert the USB drive and wait for the ``sd-devices`` VM to start.
+2. If your drive is using VeraCrypt, you will need to unlock it manually:
 
-|screenshot_export_dialog|
+   1. Open the file menu by clicking on the **Q** application menu (in the top left),
+      select **sd-devices** and click **Files**.
+   2. In the left sidebar, there should be an entry labeled **# GB Possibly Encrypted**,
+      click it.
+      |screenshot_veracrypt_sd_devices_files|
+   3. You will be prompted for the password configured for this USB drive:
 
-You will be prompted for the password configured for this
-USB drive.
+      - Volume type: leave both unchecked
+      - PIM: leave empty
+      - Password: drive's password
+      - Forget password immediately: selected
 
-|screenshot_export_drive_passphrase|
+      |screenshot_veracrypt_sd_devices_files_unlock|
+   4. Click **Connect**.
 
-Once you see a message informing you that the export was successfully completed,
-you can safely unplug the USB drive. Alternatively, you can leave the drive
-plugged in and export additional files.
+3. Back in your source's conversation, click **Export**.
+   |screenshot_export_dialog|
+4. If you have not already unlocked your USB drive, you will be prompted for the
+   password configured for this USB drive.
+   |screenshot_export_drive_passphrase|
 
+5. Once you see a message informing you that the export was successfully completed,
+   you can safely unplug the USB drive. Alternatively, you can leave the drive
+   plugged in and export additional files.
 
 .. |screenshot_file_before_download| image:: ../images/screenshot_file_before_download.png
   :width: 100%
@@ -89,3 +98,7 @@ plugged in and export additional files.
   :width: 100%
 .. |screenshot_export_drive_passphrase| image:: ../images/screenshot_export_drive_passphrase.png
   :width: 100%
+.. |screenshot_veracrypt_sd_devices_files| image:: ../images/screenshot_veracrypt_sd_devices_files.png
+  :width: 100%
+.. |screenshot_veracrypt_sd_devices_files_unlock| image:: ../images/screenshot_veracrypt_sd_devices_files_unlock.png
+  :width: 100%