From 963b99208927b946ae13c11b92d214aa57423a63 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Thu, 15 Aug 2019 15:34:21 -0700 Subject: [PATCH 1/2] Remove obsolete and redundant Tails Guide This guide was written with Tails 2 in mind (e.g., it refers to the old greeter screen), and does not instruct the user to perform proper verification steps when checking out the SecureDrop codebase. It is redundant with instructions elsewhere in the docs. Resolves #4566 --- docs/index.rst | 1 - docs/passphrases.rst | 6 +- docs/set_up_admin_tails.rst | 4 +- docs/tails_guide.rst | 165 ---------------------------------- docs/tails_printing_guide.rst | 3 +- 5 files changed, 8 insertions(+), 171 deletions(-) delete mode 100644 docs/tails_guide.rst diff --git a/docs/index.rst b/docs/index.rst index 3aa0ab6078..283fe1712e 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -70,7 +70,6 @@ anonymous sources. what_makes_securedrop_unique logging ossec_alerts - tails_guide tails_printing_guide https_source_interface ssh_over_local_net diff --git a/docs/passphrases.rst b/docs/passphrases.rst index dd9cf9eb2e..ebbe83a864 100644 --- a/docs/passphrases.rst +++ b/docs/passphrases.rst @@ -11,7 +11,9 @@ each role in a SecureDrop installation. password manager included in Tails, to generate and retain strong and unique passphrases. We have created a template passphrase database that you can use to get started. For more - information, see the :doc:`tails_guide`. + information, see the :ref:`KeePassX setup instructions `, + which are identical for the *Admin Workstation* and the + *Journalist Workstation*. .. tip:: For best practices on managing passphrases, see :doc:`passphrase_best_practices`. @@ -21,7 +23,7 @@ Admin The admin will be using the *Admin Workstation* with Tails to connect to the *Application Server* and the *Monitor Server* using Tor and SSH. The tasks -performed by the admin will require the following set of credentials and +performed by the admin will require the following set of credentials and passphrases: - A passphrase for the persistent volume on the Admin Live USB. diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst index 1eefa6bf86..9987be5791 100644 --- a/docs/set_up_admin_tails.rst +++ b/docs/set_up_admin_tails.rst @@ -143,6 +143,8 @@ output of that last command along with the fingerprint above. and you should **not** proceed with the installation. If this happens, please contact us at securedrop@freedom.press. +.. _keepassx_setup: + Create the Admin Passphrase Database ------------------------------------ @@ -174,7 +176,7 @@ To use the template: file used to protect the database. In case you wish to manually create a database, the suggested password fields in -the admin template are: +the template are: **Admin**: diff --git a/docs/tails_guide.rst b/docs/tails_guide.rst deleted file mode 100644 index f7b89cf21c..0000000000 --- a/docs/tails_guide.rst +++ /dev/null @@ -1,165 +0,0 @@ -Tails Guide -=========== - -To log-in to SecureDrop and retrieve messages sent by sources, the journalist -must be using the Tails operating system. The admin must also use Tails to -access the *Journalist Interface* and create new users. - -If you followed the :doc:`SecureDrop Installation instructions ` -correctly, you should have already created a *Journalist Workstation* Tails USB -and an *Admin Workstation* Tails USB and enabled the persistence volume on -each. If you have not, or need to create another Tails USB for a second -journalist, follow the steps below. - -If you already know how to boot the *Admin Workstation* or *Journalist Workstation* -Tails USB with persistence, you can skip down to the step 'download the repository'. - -Note that for all of these instructions to work, you should have already -installed the main SecureDrop application. It is also required that you use -Tails version 2.x or greater. - -Installing Tails on USB Sticks ------------------------------- - -Tails is a live operating system that is run from removable media, such as a -DVD or a USB stick. For SecureDrop, you'll need to install Tails onto USB -sticks and enable persistent storage. - -We recommend creating an initial Tails Live USB or DVD, and then using that to -create additional Tails Live USBs with the *Tails Installer*, a special program -that is only available from inside Tails. *You will only be able to create -persistent volumes on USB sticks that had Tails installed via the Tails -Installer*. - -The `Tails website `__ has detailed and up-to-date -instructions on how to download and verify Tails, and how to create a Tails USB -stick. Here are some links to help you out: - -- `Download and verify the Tails .iso and install onto a USB stick or SD card`_ -- `Create & configure the persistent volume`_ - -.. _`Download and verify the Tails .iso and install onto a USB stick or SD card`: https://tails.boum.org/install/index.en.html -.. _`Create & configure the persistent volume`: https://tails.boum.org/install/linux/usb/index.en.html#create-persistence - - -Configure Tails for Use with SecureDrop ---------------------------------------- - -.. _enable_persistence_in_tails: - -Persistence -~~~~~~~~~~~ - -Creating an encrypted persistent volume will allow you to securely save -information in the free space that is left on the *Transfer Device*. This -information will remain available to you even if you reboot Tails. Instructions -on how to create and use this volume can be found on the `Tails -website `__. -You will be asked to select from a list of persistence features, such as -personal data. We require that you enable **all** features. - -Start Tails and Enable the Persistent Volume -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -When starting Tails, you should see a "Welcome to Tails" screen with two -options. Select *Yes* to enable the persistent volume and enter your passphrase. -Select *Yes* to show more options and click *Forward*. Enter an *Administration -passphrase* for use with this specific Tails session and click *Login*. - -Download the Repository -~~~~~~~~~~~~~~~~~~~~~~~ - -The rest of the SecureDrop-specific configuration is assisted by files stored -in the SecureDrop git repository. To get started, open a terminal and run the -following commands to download the git repository. Note that since the -repository is fairly large and Tor can be slow, this may take a few minutes. - -.. code:: sh - - cd ~/Persistent - git clone https://github.com/freedomofpress/securedrop.git - -Passphrase Database -~~~~~~~~~~~~~~~~~~~ - -We provide a KeePassX passphrase database template to make it easier for -admins and journalists to generate strong, unique passphrases and -store them securely. Once you have set up Tails with persistence and -have cloned the repo, you can set up your personal passphrase database -using this template. - -You can find the template in ``tails_files/securedrop-keepassx.kdbx`` -in the SecureDrop repository that you just cloned. - -To use the template: - -- Open the KeePassX program |KeePassX| which is already installed on - Tails -- Select **Database**, **Open database**, and navigate to the location of - **securedrop-keepassx.kdbx**, select it, and click **Open** -- Check the **password** box and hit **OK** -- Click **Database** and **Save Database As** -- Save the database in the Persistent folder - -.. tip:: If you would like to add a master passphrase, navigate to **Database** - and **Change master key**. Note that since each KeePassX database is - stored on the encrypted persistent volume, this additional passphrase - is not necessary. - -.. warning:: You will not be able to access your passphrases if you forget the - master passphrase or the location of the key file used to protect - the database. - - -Set Up Easy Access to the *Journalist Interface* -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To complete setup of the *Admin Workstation* or Journalist Workstation, we -recommend using the scripts in ``tails_files`` to easily configure Tor to -access the *Journalist Interface*. - -Navigate to the directory with the setup scripts and begin the installation -by typing these commands into the terminal: - -:: - - ./securedrop-admin tailsconfig - -Type the administration passphrase that you selected when starting Tails and hit -enter. This installation script does the following: - -* Downloads additional software -* Installs a program that automatically and persistently configures Tor to - access the SecureDrop servers and interfaces, by adding ``HidServAuth`` values - to ``/etc/tor/torrc`` -* Sets up desktop and main menu shortcuts for the *Journalist Interface* and - *Source Interface* -* Sets up SSH host aliases for ``mon`` and ``app`` -* Makes it so that Tails installs Ansible at the beginning of every session - -If you are missing any files, the script will exit with an error. If you're -running this script as an admin, the entire setup should be automatic. - -If you're running the script as a journalist, you will need the .onion addresses -for each interface, provided to you by the admin. - -We use an "authenticated" Tor Hidden Service so that adversaries cannot access -the *Journalist Interface*, providing a layer of defense-in-depth which protects the -*Journalist Interface* even if there is a security vulnerability in the web -application, or if the journalist's username, passphrase, and two-factor token -are stolen. The extra configuration that is required is handled by this script. - -Our ``./securedrop-admin tailsconfig`` tool sets up Tails to work with SecureDrop -every time you login. As long as Tails is booted with the persistent volume enabled -then you can open the Tor Browser and connect to the *Journalist Interface* as normal. - -Create Bookmarks for *Source Interface* and *Journalist Interface* -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you want, you can open the browser and create bookmarks for the Source and -*Journalist Interfaces*. Navigate to the site you wish to bookmark, select -*Bookmarks* and *Bookmark This Page*, give the site a useful name (e.g. *Source -Interface*), and click *Done*. Tails will remember the bookmarks even if you -reboot. - -.. |KeePassX| image:: images/keepassx.png diff --git a/docs/tails_printing_guide.rst b/docs/tails_printing_guide.rst index c35c2f6a9a..b1eedc325e 100644 --- a/docs/tails_printing_guide.rst +++ b/docs/tails_printing_guide.rst @@ -38,8 +38,7 @@ attempting to use a new printer with Tails. .. note:: While, as of Tails 3, it's no longer necessary to have admin privileges in order to install or configure printers, we recommend that you - set an admin passphrase along with - :ref:`enabling persistence `; this ensures that + set an admin passphrase and unlock your persistent volume; this ensures that the printer's installation and configuration settings persist after every reboot, so you don't have to reinstall it each time you start Tails. From 1c8beedfa9b96f9fa5414e05b472348f84c15560 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Mon, 19 Aug 2019 15:06:10 -0700 Subject: [PATCH 2/2] Clarify initialization of KeePassX database on Journalist Workstation --- docs/onboarding.rst | 9 +++++++++ docs/passphrases.rst | 9 ++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/docs/onboarding.rst b/docs/onboarding.rst index b0fe35f367..a5655135b3 100644 --- a/docs/onboarding.rst +++ b/docs/onboarding.rst @@ -51,6 +51,15 @@ To create a *Journalist Interface* Tails USB, just follow the same procedure you used to create a Tails USB with persistence for the *Admin Workstation*, as documented in the :doc:`Tails Setup Guide `. +.. note:: + + As with your *Admin Workstation*, you can use a fresh copy of the blank + KeePassX template in the repository to initialize the password database + on the *Journalist Workstation*. You can safely edit this copy to remove + sections or fields that are not relevant for the journalist you are + onboarding. For example, the admin section of the password database should + never be filled in on a *Journalist Workstation*. + Once you're done, boot into the new Journalist Tails USB on the *Journalist Workstation*. Enable persistence and set an admin passphrase before continuing with the next section. diff --git a/docs/passphrases.rst b/docs/passphrases.rst index ebbe83a864..9ffceba0b5 100644 --- a/docs/passphrases.rst +++ b/docs/passphrases.rst @@ -9,11 +9,10 @@ each role in a SecureDrop installation. .. note:: We encourage each end user to use KeePassX, an easy-to-use password manager included in Tails, to generate and retain - strong and unique passphrases. We have created a template - passphrase database that you can use to get started. For more - information, see the :ref:`KeePassX setup instructions `, - which are identical for the *Admin Workstation* and the - *Journalist Workstation*. + strong and unique passphrases. The SecureDrop code repository includes + a template that you can use to initialize this database for an + *Admin Workstation* or a *Journalist Workstation*. For more + information, see the :ref:`KeePassX setup instructions `. .. tip:: For best practices on managing passphrases, see :doc:`passphrase_best_practices`.