Securedrop Documentation Release 0.9.0
Total Page:16
File Type:pdf, Size:1020Kb
SecureDrop Documentation Release 0.9.0 SecureDrop Team and Contributors Sep 05, 2018 User Guides 1 Source Guide 3 1.1 Choosing the Right Location.......................................3 1.2 Get the Tor Browser...........................................3 1.3 Choose Who to Submit To........................................4 1.4 Making Your First Submission......................................4 1.5 Continuing the Conversation....................................... 10 2 Journalist Guide 15 2.1 Updating Your Workstation....................................... 15 2.2 Creating a GPG Key........................................... 16 2.3 Connecting to the Journalist Interface .................................. 16 2.4 Daily Journalist Alerts About Submissions............................... 17 2.5 Interacting With Sources......................................... 18 2.6 Moving Documents to the Secure Viewing Station ........................... 21 2.7 Decrypting on the Secure Viewing Station ................................ 26 2.8 Working with Documents........................................ 28 2.9 Encrypting and Moving Documents to the Journalist Workstation ................... 29 2.10 Decrypting and Preparing to Publish................................... 31 3 Admin Guide 33 3.1 Responsibilities.............................................. 33 3.2 Common Tasks.............................................. 35 3.3 Frequently Asked Questions....................................... 44 4 Passphrase Best Practices 47 4.1 General Best Practices.......................................... 47 4.2 For Sources................................................ 48 4.3 For Journalists/Admins.......................................... 48 5 Overview 49 5.1 Technical Summary........................................... 49 5.2 Infrastructure............................................... 50 5.3 Operation................................................. 51 6 Terminology 53 6.1 Source.................................................. 53 6.2 Journalist................................................. 53 i 6.3 Application Server............................................ 53 6.4 Monitor Server.............................................. 54 6.5 Landing Page............................................... 54 6.6 Source Interface............................................. 54 6.7 Journalist Interface............................................ 54 6.8 Journalist Workstation.......................................... 54 6.9 Admin Workstation............................................ 54 6.10 Secure Viewing Station......................................... 54 6.11 Two-Factor Authenticator........................................ 55 6.12 Transfer Device............................................. 55 7 Passphrases 57 7.1 Admin.................................................. 57 7.2 Journalist................................................. 58 8 Hardware 59 8.1 Hardware Overview........................................... 59 8.2 Required Hardware............................................ 59 8.3 Optional Hardware............................................ 62 8.4 Specific Hardware Recommendations.................................. 63 9 Before You Begin 69 10 Create Tails USBs 71 10.1 Install Tails................................................ 71 10.2 Enable Persistent Storage........................................ 72 11 Set Up the Secure Viewing Station 73 11.1 Ensure Filenames are Preserved..................................... 73 11.2 Correct the System Time......................................... 74 12 Set Up the Transfer Device 77 12.1 Select DVDs or USBs.......................................... 77 12.2 USB Transfer Device Configuration................................... 77 13 Generate the SecureDrop Submission Key 83 13.1 Create the Key.............................................. 83 13.2 Export the Public Key.......................................... 86 14 Set up the Admin Workstation 91 14.1 Start Tails with Persistence Enabled................................... 91 14.2 Download the SecureDrop repository.................................. 91 14.3 Create the Admin Passphrase Database................................. 93 15 Set Up the Network Firewall 95 15.1 Before You Begin............................................ 95 15.2 Initial Configuration........................................... 97 15.3 Disable DHCP on the LAN....................................... 106 15.4 SecureDrop Configuration........................................ 112 15.5 Tips for Setting Up pfSense Firewall Rules............................... 129 15.6 Keeping pfSense up to Date....................................... 129 15.7 Abstract Firewall Rules......................................... 133 16 Set Up the Servers 135 16.1 Install Ubuntu.............................................. 135 16.2 Test Connectivity............................................. 140 ii 16.3 Set Up SSH Keys............................................. 140 17 Install SecureDrop 141 17.1 Install Prerequisites........................................... 141 17.2 Localization of the Source Interface and Journalist Interface ...................... 142 17.3 Configure the Installation........................................ 142 17.4 Install SecureDrop Servers........................................ 143 18 Configure the Admin Workstation Post-Install 145 18.1 Auto-connect to the Authenticated Tor Hidden Services........................ 145 19 Create an Admin Account on the Journalist Interface 147 20 Test the Installation 149 20.1 Test Connectivity............................................. 149 20.2 Sanity-Check the Installation...................................... 149 20.3 Test the Web Interfaces.......................................... 150 21 Onboard Journalists 151 21.1 Determine Access Protocol for the Secure Viewing Station ....................... 151 21.2 Create a Journalist Tails USB...................................... 152 21.3 Set Up Automatic Access to the Journalist Interface .......................... 152 21.4 Add an account on the Journalist Interface ............................... 153 21.5 Verify Journalist Setup.......................................... 153 22 Overview 155 23 Landing Page 157 23.1 URL and Location............................................ 157 23.2 HTTPS Only (No Mixed Content).................................... 157 23.3 Perfect Forward Secrecy......................................... 158 23.4 SSL Certificate Recommendations.................................... 158 23.5 Do Not Use Third-Party Analytics, Tracking, or Advertising...................... 158 23.6 Do Not Hyperlink .onion Addresses................................... 159 23.7 Avoid Direct Links to SecureDrop.org.................................. 159 23.8 Apply Security Headers......................................... 159 23.9 Additional Apache Configuration.................................... 160 23.10 Further Security Considerations..................................... 161 23.11 Landing Page Content Suggestions................................... 161 24 Minimum requirements for the SecureDrop environment 163 25 Whole Site Changes 165 25.1 Suggested................................................. 165 26 Sample SecureDrop Privacy Policy 167 26.1 Collection of Information From Sources................................. 167 26.2 Collection of Information About Journalists’ Use of SecureDrop.................... 168 26.3 Data Security............................................... 168 26.4 Children Under 13............................................ 168 26.5 Changes to This Policy.......................................... 168 26.6 Contact.................................................. 168 27 Pre-Install Hardware Checklist 169 iii 28 Promoting Your SecureDrop Instance 171 28.1 Make a High Profile Announcement................................... 171 28.2 Provide a Clear Link on Your Homepage................................ 171 28.3 Provide Links at the Bottom of Your Articles.............................. 173 28.4 Create an Instructional Video on How to Access and Use Your SecureDrop.............. 173 28.5 Regularly Share Your SecureDrop Landing Page on Social Media................... 173 28.6 Target Potential Whistleblowers with Advertising............................ 174 28.7 Put an Advertisement in Your Physical Paper.............................. 174 29 What Makes SecureDrop Unique 177 29.1 No Third Parties that Can Secretly be Subpoenaed........................... 177 29.2 Limits the Metadata Trail as Much as Possible............................. 177 29.3 Encrypted and Air-Gapped........................................ 178 29.4 Protects Against Hackers......................................... 178 29.5 Free and Open Source Software..................................... 178 30 Useful Logs 179 30.1 Both servers............................................... 179 30.2 Application Server ............................................ 179 30.3 Monitor Server .............................................. 179 31 OSSEC Guide 181 31.1 Setting Up OSSEC Alerts........................................ 181 31.2 Troubleshooting............................................. 184 31.3 Analyzing the Alerts........................................... 188 32 Tails Guide 189 32.1 Installing Tails on USB Sticks...................................... 189 32.2 Configure Tails for Use with SecureDrop................................ 190 33 Setting Up a Printer in Tails