Add VeraCrypt instructions to journalist guide, remove GPG instructions

Detailed justification in #4657

docs/generate_submission_key.rst

@@ -96,5 +96,4 @@ workstation.
 .. |Export Key| image:: images/install/exportkey.png
 .. |Export Key 2| image:: images/install/exportkey2.png
 .. |Fingerprint| image:: images/install/fingerprint.png
-.. |Nautilus| image:: images/nautilus.png
 .. |Terminal| image:: images/terminal.png

docs/glossary.rst

@@ -155,7 +155,7 @@ to  transfer encrypted documents from the *Journalist Workstation* to the
 
 Please see the detailed security recommendations for the choice, configuration
 and use of your *Transfer Device* in the :doc:`journalist guide <journalist>`
-and in the :doc:`setup guide <set_up_transfer_and_export_device>` .
+and in the :doc:`setup guide <set_up_transfer_and_export_device>`.
 
 Export Device
 -------------

docs/journalist.rst

@@ -30,22 +30,6 @@ administrator if you have trouble.
 .. _`Tails
    Upgrade Documentation`: https://tails.boum.org/doc/first_steps/upgrade/index.en.html
 
-
-Creating a GPG Key
-------------------
-We recommend creating a personal GPG key for encrypting files before moving
-them from the *Secure Viewing Station* to your everyday workstation. A GPG key
-has two parts: a *public key* and a *private key*. The private key, used for
-decryption, stays on your everyday workstation. The public key, used for
-encryption, is copied to the *Secure Viewing Station*.
-
-If you do not yet have a GPG key, follow the instructions for your
-operating system to set one up:
-
-- `Windows <https://ssd.eff.org/en/module/how-use-pgp-windows>`__
-- `Mac OS <https://ssd.eff.org/en/module/how-use-pgp-mac-os-x>`__
-- `GNU/Linux <https://ssd.eff.org/en/module/how-use-pgp-linux>`__
-
 Connecting to the *Journalist Interface*
 ----------------------------------------
 Journalists viewing documents on SecureDrop must connect to the
@@ -243,6 +227,15 @@ USB stick you intend to use to transfer the documents from your
 *Journalist Workstation* to the *Secure Viewing Station*. This storage
 device is known as your *Transfer Device*.
 
+.. note::
+
+   If the *Transfer Device* was set up according to our recommendations, you will
+   be prompted for a decryption passphrase on the *Journalist Workstation* and
+   the *Secure Viewing Station* before being able to use it in a given session.
+   We recommend storing this passphrase in your own personal password manager
+   (e.g., on your smartphone), so that it is readily accessible to you whenever
+   you need it.
+
 You can right-click the file and select **Copy to**, then select the *Transfer
 Device*, as shown in the screenshots below.
 
@@ -523,44 +516,82 @@ by default, which may reveal sensitive information about your SecureDrop
 usage patterns (potentially including GPS coordinates) to anyone who gains access
 to the file.
 
-Encrypting and Moving Documents to Your Everyday Workstation
-------------------------------------------------------------
+Moving Documents to Your Everyday Workstation
+---------------------------------------------
 
-Before moving documents back to the *Transfer Device* to copy them to
-your everyday workstation, encrypt them to your personal GPG key that you
-imported when setting up the *Secure Viewing Station*.
+.. important::
 
-To do this, right-click on the document you want to encrypt and choose
-**Encrypt...**.
+   As noted above, SecureDrop does not scan for or remove malware. If the file
+   you received contains malware targeting the operating system and applications
+   running on your everyday workstation, copying it in its original form carries
+   the risk of spreading malware to that computer. Make sure you understand the
+   risks, and consider other methods to export the document (e.g., print).
 
-|Encrypting 1|
+If you want to copy files from your *Secure Viewing Station* to your everyday
+workstation, our :doc:`recommendation <set_up_transfer_and_export_device>` is
+that journalists are provided with an *Export Device*, typically a USB drive,
+which is encrypted using `VeraCrypt <https://www.veracrypt.fr/en/Home.html>`__.
+These instructions assume that you are following the recommended workflow.
+If you are unsure, ask your administrator.
 
-Then choose your public key (and, if you choose, any additional keys,
-such as an editor's) and click **OK**.
+To open the *Export Device* on the *Secure Viewing Station*, follow these steps:
 
-|Encrypting 2|
+1. If your *Export Device* has a physical write protection switch, make sure
+   it is in the *unlocked* position.
+2. Plug the *Export Device* into the *Secure Viewing Station*.
+3. Click **Applications ▶ Utilities ▶ Unlock VeraCrypt Volumes**
+4. Under "Partitions and Drives", select the *Export Device* and click
+   **Unlock**.
+5. Enter your passphrase, which we recommend keeping in your own personal
+   password manager (e.g., on your smartphone), not on KeePassX.
+6. Under "Partitions and Drives", open the encrypted drive by clicking
+   **Open**.
 
-When you are done encrypting, you will have another document with the
-same filename but ending in ``.pgp`` (not ``.gpg``; the ``.pgp`` extension is
-just another way to refer to the same format). This file is encrypted to the GPG
-keys you selected. You can now copy these encrypted files to the *Transfer
-Device* to transfer them to your everyday workstation.
+Steps 3-6 are illustrated below:
 
-|Encrypted document|
+|Unlock VeraCrypt in Tails 1|
 
-.. important::
+|Unlock VeraCrypt in Tails 2|
 
-   As noted above, SecureDrop does not scan for or remove malware. If the file
-   you received contains malware targeting the operating system and applications
-   running on your everyday workstation, copying it in its original form carries
-   the risk of spreading malware to that computer. Make sure you understand the
-   risks, and consider other methods to export the document (e.g., print).
+|Unlock VeraCrypt in Tails 3|
+
+|Unlock VeraCrypt in Tails 4|
+
+The *Export Device* should now open in the file manager. If there are still
+files on the *Export Device* from your last copy operation,
+`securely delete <https://tails.boum.org/doc/encryption_and_privacy/secure_deletion/index.en.html#index3h1>`__
+them now.
+
+Copy the file or files you want to access on your everyday workstation to the
+*Export Device* using the file manager.
+
+.. note:
 
 Decrypting and Preparing to Publish
 -----------------------------------
 
-Plug the *Transfer Device* into your everyday workstation computer and copy
-over the encrypted documents. Decrypt them with GPG.
+To access the *Export Device* on your everyday workstation, follow these steps:
+
+1. If your *Export Device* has a physical write protection switch, make sure it
+   is in the *locked* position.
+2. Plug the *Export Device* into your everyday workstation.
+3. Launch the VeraCrypt application.
+4. Click **Select Device** and select the *Export Device*, then click **OK**.
+5. Click **Mount**.
+6. Enter the passphrase for your *Export Device*. You should find this in your
+   own personal password manager.
+7. Open the *Export Device* in your operating system's file manager, and copy
+   the contents of interest to your everyday workstation.
+
+For more information about working with VeraCrypt, see the
+`Freedom of the Press Foundation guide <https://freedom.press/training/encryption-toolkit-media-makers-veracrypt-guide/>`__.
+
+As a security precaution, we recommend deleting the files on the *Export Device*
+after each copy operation. If you are using write protection, you have to perform
+this step on the *Secure Viewing Station* to get the security benefits of write
+protection.
+
+When you are done, switch back to the VeraCrypt window, and click **Dismount**.
 
 You are now ready to write articles and blog posts, edit video and
 audio, and begin publishing important, high-impact work!
@@ -586,7 +617,8 @@ audio, and begin publishing important, high-impact work!
 .. |Flag for reply button| image:: images/manual/screenshots/journalist-col_has_no_key.png
 .. |Flag for reply notification| image:: images/manual/screenshots/journalist-col_flagged.png
 .. |Wiping documents| image:: images/manual/viewing5.png
-.. |Encrypting 1| image:: images/manual/viewing6.png
-.. |Encrypting 2| image:: images/manual/viewing7.png
-.. |Encrypted document| image:: images/manual/viewing8.png
 .. |Journalist account profile| image:: images/manual/screenshots/journalist-edit_account_user.png
+.. |Unlock VeraCrypt in Tails 1| image:: images/manual/unlock-veracrypt-in-tails-1.png
+.. |Unlock VeraCrypt in Tails 2| image:: images/manual/unlock-veracrypt-in-tails-2.png
+.. |Unlock VeraCrypt in Tails 3| image:: images/manual/unlock-veracrypt-in-tails-3.png
+.. |Unlock VeraCrypt in Tails 4| image:: images/manual/unlock-veracrypt-in-tails-4.png

docs/onboarding.rst

@@ -113,25 +113,14 @@ Finally, you need to add an account on the *Journalist Interface* so the journal
 can log in and access submissions. See the section on :ref:`Adding Users` in
 the admin Guide.
 
-Import GPG Keys for Journalists with Access to SecureDrop to the SVS
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-While working on a story, journalists may need to transfer some documents or
-notes from the *Secure Viewing Station* to the journalist's work computer on
-the corporate network. To do this, the journalist should re-encrypt them with
-their own keys. If a journalist does not already have a personal GPG key,
-they can follow the same steps above to create one. The journalist should
-store the private key somewhere safe; the public key should be stored on the
-*Secure Viewing Station*.
-
-If the journalist does have a key, transfer their public key from wherever it
-is located to the *Secure Viewing Station*, using the *Transfer Device*. Open
-the file manager |Nautilus| and double-click on the public key to import it.
-
-|Importing Journalist GPG Keys|
-
-.. |Nautilus| image:: images/nautilus.png
-.. |Importing Journalist GPG Keys| image:: images/install/importkey.png
+Provision a personal *Transfer Device* and *Export Device*
+----------------------------------------------------------
+In small organizations, a team of journalists may want to share a single
+*Transfer Device* and a single *Export Device*. In larger organizations, you may
+want to provision a personal *Transfer Device* and *Export Device* for each
+journalist who may need to copy files off the *Secure Viewing Station*. Please
+see the :doc:`setup guide <set_up_transfer_and_export_device>` for more
+information.
 
 Verify Journalist Setup
 -----------------------
@@ -142,26 +131,32 @@ verify the journalist is set up for SecureDrop.
 
 The journalist should verify that they:
 
-1. Have their own *Journalist Tails USB* that they have verified they are able
-   to boot on the *Journalist Workstation*.
+1. Have their own *Journalist Workstation* USB drive that they are able to boot
+   on the computer designated for this purpose (which can be their everyday
+   laptop).
 
-.. note:: It is important that they test on the same *Journalist Tails USB* and
-   the same *Journalist Workstation* they will be using on a day to day basis.
-   Issues may arise due to differences in USB drives or laptop models.
+.. note::
+
+   It is important that they test exactly on the computer they will be using
+   as the *Journalist Workstation*, as there can be differences in Tails
+   compatibility between different laptop models.
 
 2. Verify they are able to decrypt the persistent volume on the *Journalist
-   Tails USB*.
+   Workstation*.
 
 3. Ensure that they can connect to and login to the *Journalist Interface*.
 
-4. Ensure that they have a *Data Transfer Device* with a saved passphrase.
+4. Ensure that they have a *Transfer Device*, and access to its passphrase.
 
-5. Verify they have access to the *Secure Viewing Station* they will be using by
-   plugging in the *SVS USB*, booting, and verifying they can decrypt the
-   persistent volume.
+5. Verify they have access to the *Secure Viewing Station* by plugging in the
+   *Secure Viewing Station* USB drive into the air-gapped computer designated
+   for this purpose, booting, and verifying they can decrypt the persistent
+   volume.
 
-.. note:: Again, it is important that they test on the same *SVS Tails USB* and
-   the same *Secure Viewing Station* they will be using on a day to day basis.
+.. note::
+
+   It is especially important to only boot the *Secure Viewing Station* USB
+   drive on the air-gapped computer designated for this purpose.
 
 6. Verify the *Submission Private Key* is present in the *Secure Viewing Station*
    persistent volume by clicking the clipboard icon |gpgApplet| in the top right
@@ -172,6 +167,10 @@ The journalist should verify that they:
    saved in the KeePassX database stored in the persistent volume of the *Journalist
    Workstation*.
 
+7. If you are using a printer, verify that they are able to print a document
+   from the *Secure Viewing Station*. If you are using an *Export Device*,
+   verify that they are able to unlock the encrypted volume.
+
 At this point, the journalist has verified they have the devices and credentials
 they need and can proceed to a walkthrough of the entire SecureDrop workflow.
 

docs/passphrases.rst

@@ -33,7 +33,8 @@ passphrases:
    -  The network firewall username and password.
    -  The SSH private key and, if set, the key's passphrase.
    -  The GPG key that OSSEC will encrypt alerts to.
-   -  The admin's personal GPG key.
+   -  The admin's personal GPG public key, if you want to potentially encrypt
+      sensitive files to it for further analysis.
    -  The account details for the destination email address for OSSEC alerts.
    -  The Onion Services values required to connect to the *Application* and
       *Monitor Servers*.

docs/threat_model/threat_model.rst

@@ -296,7 +296,7 @@ What a Compromise of the Workstations Can Surrender
    volume, which stores information such as the Hidden Service value
    required to connect to the *Journalist Interface*, as well as a :doc:`database
    with passphrases <../passphrases>` for the
-   *Journalist Interface* and the journalist's personal GPG key.
+   *Journalist Interface*.
 -  The *Secure Viewing Station* requires Tails with a persistent
    volume, which stores information such as the SecureDrop application's
    GPG key, as well as a :doc:`database with the
@@ -392,7 +392,7 @@ What Compromise of the Admin's Property Can Surrender
       alerts.
    -  Access the credentials for the account the encrypt alerts are sent
       to.
-   -  Access the admin's personal GPG key.
+   -  Access the admin's personal GPG public key, if stored there.
 
 -  An attacker with admin access to the *Journalist Interface* can:
 
@@ -473,7 +473,6 @@ What a Compromise of the Journalist's Property Can Achieve
    -  Access the Hidden Service values used by the *Journalist Interface*.
    -  Access SSH keys and passphrases for the *Application Server* and the
       *Monitor Server*.
-   -  Access the journalist's personal GPG key.
 
 -  An attacker with journalist access to the *Journalist Interface* can: