Install SecureDrop

Localization of the Source Interface and Journalist Interface

The Source Interface and Journalist Interface are translated in the following languages:

https://github.com/freedomofpress/securedrop/blob/develop/securedrop/i18n.rst

During the installation you will be given the opportunity to choose from a list of supported languages to display using the codes shown in parentheses.

Note

With a Source Interface displayed in French (for example), sources submitting documents are likely to expect a journalist fluent in French to be available to read the documents and follow up in that language.

Prepare Configuration Files

Make sure you have the following information and files ready before continuing:

  • the Application Server local IP address

  • the Monitor Server local IP address

  • the Submission Public Key (from the Transfer Device)

  • the Submission Key fingerprint

  • the email address that will receive alerts from OSSEC

  • the GPG public key and fingerprint for the email address that will receive the alerts

  • connection information for the SMTP relay that handles OSSEC alerts (see the OSSEC Alerts Guide)

  • the username of a journalist who will be using SecureDrop (you can add more later)

  • the username of the system admin

Optional: Enable Journalist Daily Alerts

When a SecureDrop has little activity and receives only a few submissions every other week, checking daily only to find there is nothing is a burden. It is more convenient for journalists to be notified daily via encrypted email about whether or not there has been submission activity in the past 24 hours.

If the email shows submissions were received, the journalist can connect to the Journalist Interface to get them.

Note

For security reasons, the email will be sent every 24 hours, regardless of whether there are new submissions or not. The notification is sent after the daily reboot of the Application Server. The subject of the email will always be “Submissions in the past 24h”. To find out whether there were submissions or not, a journalist must decrypt the contents of the email.

In the simplest case a journalist will provides their email and GPG public key to you, the admin. If a team of journalist wants to receive these daily alerts, they should share a GPG key and ask the admin to setup a mail alias (SecureDrop does not provide that service) so they all receive the alerts and are able to decrypt them.

If you wish to enable this, you will need:

  • the Journalist Alert Public Key

  • the Journalist Alert Public Key fingerprint

  • the email address that will receive the journalist alerts

Note

It is not possible to specify multiple email addresses for email notifications. If there are multiple intended recipients, use an alias or mailing list. However, all subscribers must share the GPG private key, as it is not possible to specify multiple keys.

Configuring the Servers

Before proceeding, you will need to copy the following files to ~/.config/securedrop-admin:

  • the Submission Public Key file

  • the OSSEC Alert Public Key

The Submission Public Key should be located on your Transfer Device from earlier. Its exact path will depend on the location where the USB stick is mounted. From the root of the SecureDrop repository, run:

cp /media/[USB folder]/SecureDrop.asc ~/.config/securedrop-admin/

where /media/[USB folder]/ corresponds to the Transfer Device. (You can also use the copy and paste capabilities of the file manager.)

Next, copy the OSSEC Alert Public Key into ~/.config/securedrop-admin as well.

Next, run the configuration playbook and answer the prompts with values that match your environment:

securedrop-admin sdconfig

The script will automatically validate the answers you provided and display error messages if any problems are detected. The answers will be written to the file ~/.config/securedrop-admin/site-specific.

When you’re done, save the file and quit the editor.

Install SecureDrop Servers

Now you are ready to install! This process will configure the servers and install SecureDrop and all of its dependencies on the remote servers.

securedrop-admin install

You will be prompted to enter the sudo passphrase for the Application Server and Monitor Server (which should be the same).

The installation process will take some time. It will return you to the terminal prompt when complete.

If any errors occur while running the install, carefully inspect the error output. Considering saving any error messages for reference and troubleshooting.

Note

If you see an error running securedrop-admin install, and believe it may be an intermittent issue (for example, due to losing network connectivity to the servers), it is safe to run the securedrop-admin install command again. If you see the same issue consistently, then you will need to troubleshoot it.

If you see the error message “timeout (62s) waiting for privilege escalation prompt”, try deleting the Ansible control path directory on your Admin Workstation (rm -rf ~/.ansible/cp) to reset the connection to the servers, then re-run the securedrop-admin install.

If you encounter other errors, we encourage you to submit a bug report, or to contact us at securedrop@freedom.press (GPG encrypted).

If needed, make edits to the file located at ~/.config/securedrop-admin/site-specific as described above. If you continue to have issues, please submit a detailed issue notice on GitHub or send an email to securedrop@freedom.press.

Note

The SecureDrop install process configures a custom Linux kernel hardened with the grsecurity patch set. Only binary images are hosted in the apt repo. For source packages, see the Source Offer.

Once the installation is complete, addresses and credentials for each onion service will be available in the following files under ~/.config/securedrop-admin:

V3 onion services

  • app-sourcev3-ths contains the v3 .onion address of the Source Interface.

  • app-journalist.auth_private contains the onion address and private key providing access to the Journalist Interface.

  • app-ssh.auth_private contains the onion address and private key providing SSH access to the Application Server.

  • mon-ssh.auth_private contains the onion address and private key providing SSH access to the Monitor Server.

  • tor_v3_keys.json contains the keypairs required for access to the Journalist Interface and SSH access to the servers - it is required for future runs of securedrop-admin install.

Warning

The three .auth_private files and the tor_v3_keys.json file contain secret keys that should not be shared with third parties, or copied from the Admin Workstation for any purpose other than tasks such as performing backups or onboarding new users.

The dynamic inventory file will automatically read the onion addresses from the app-ssh.auth_private and mon-ssh.auth_private files and use them to connect to the servers over SSH during subsequent playbook runs.