Skip to content

Latest commit

 

History

History
91 lines (68 loc) · 3.46 KB

generate_securedrop_application_key.rst

File metadata and controls

91 lines (68 loc) · 3.46 KB
Raw

Generate the SecureDrop Submission Key

When a document or message is submitted to SecureDrop by a source, it is automatically encrypted with the SecureDrop Submission Key. The private part of this key is only stored on the Secure Viewing Station which is never connected to the Internet. SecureDrop submissions can only be decrypted and read on the Secure Viewing Station.

We will now generate the SecureDrop Submission Key.

Create the Key

  1. Navigate to Applications ▸ Terminal to open a terminal Terminal.

  2. In the terminal, run gpg --full-generate-key:

    GPG generate key

  3. When it says Please select what kind of key you want, choose "(1) RSA and RSA (default)".
  4. When it asks What keysize do you want?, type 4096.
  5. When it asks Key is valid for?, press Enter. This means your key does not expire.

  6. It will let you know that this means the key does not expire at all and ask for confirmation. Type y and hit Enter to confirm.

    GPG key options

  7. Next it will prompt you for user ID setup. Use the following options:
    • Real name: "SecureDrop"
    • Email address: leave this field blank
    • Comment: [Your Organization's Name] SecureDrop Submission Key

  8. GPG will confirm these options. Verify that everything is written correctly. Then type O for (O)kay and hit enter to continue:

    OK to generate

  9. A box will pop up (twice) asking you to type a passphrase. Since the key is protected by the encryption on the Tails persistent volume, it is safe to simply click OK without entering a passphrase.
  10. The software will ask you if you are sure. Click Yes, protection is not needed.
  11. Wait for the key to finish generating.

Export the Public Key

To manage GPG keys using the graphical interface (a program called Seahorse), click the clipboard icon gpgApplet in the top right corner and select "Manage Keys". Click "GnuPG keys" and you should see the key that you just generated.

My Keys

  1. Select the key you just generated and click "File" then "Export".
  2. Save the key to the Transfer Device as SecureDrop.asc, and make sure you change the file type from "PGP keys" to "Armored PGP keys" which can be switched at the bottom of the Save window. Click the 'Export' button after switching to armored keys.

Note

This is the public key only.

Export Key

Export Key 2

You'll need to provide the fingerprint of this new key during the installation. Double-click on the newly generated key and change to the Details tab. Write down the 40 hexadecimal digits under Fingerprint.

Fingerprint

Note

Your fingerprint will be different from the one in the example screenshot.

At this point, you are done with the Secure Viewing Station for now. You can shut down Tails, grab the Admin Workstation Tails USB and move over to your regular workstation.