Set Up the Secure Viewing Station
The Secure Viewing Station is the computer where journalists read and respond to SecureDrop submissions. Once submissions are encrypted on the Application Server, only the Secure Viewing Station has the key to decrypt them. The Secure Viewing Station is never connected to the internet or a local network, and only ever runs from a dedicated Tails drive. Journalists download encrypted submissions using their Journalist Workstation, copy them to a Transfer Device (a USB drive or a DVD) and physically transfer the Transfer Device to the Secure Viewing Station.
We recommend storing your Secure Viewing Station in a secure area on-site, and ensuring it does not leave this area. If you have journalists working outside of your premises, you may want to consider setting up a remote Secure Viewing Station.
Since the Secure Viewing Station never uses a network connection or an internal hard drive, we recommend that you physically remove any internal storage devices or networking hardware such as wireless cards or Bluetooth adapters. If the machine has network ports you can’t physically remove, you should clearly cover these ports with labels noting not to use them. For an even safer approach, fill a port with epoxy to physically disable it. We also recommend you remove the speakers from the device (or just cut the audio cables if that’s easier). This is to prevent exfiltration of data from the airgap via ultrasonic audio, which cannot be heard by humans. If you have questions about repurposing hardware for the Secure Viewing Station, contact the Freedom of the Press Foundation.
The steps below assume you have already created a Tails USB drive with Persistent Storage enabled. If that is not the case, please review the previous page in the installation guide, then return here once the new Tails drive is ready.
The Tails drive should be clearly labeled “SecureDrop Secure Viewing Station”. If it’s not labeled, label it right now, then boot it on the Secure Viewing Station. After it loads, you should see the Tails Welcome Screen.
Enter your passphrase to unlock the persistent storage, then press Unlock. Before starting Tails, set an administration password for use with this Tails session. To do so, click the + button under “Additional Settings”. Click Administration Password in the list of settings. Enter the password twice, click Add, then click Start Tails.
The Tails administration password is a one-time password. It is reset every time you shut down Tails. Pick a password you will be able to remember for the length of this session.
We will now prepare the Secure Viewing Station.
Correct the System Time
After booting up Tails on the Secure Viewing Station, you will need to manually set the system time before you create the SecureDrop Submission Key. This operation requires the Tails administration password to be set (see above).
To set the system time:
Click the upper right down arrow in the menu bar and select the wrench icon:
Select the Details section, then click Date & Time.
Click Unlock. Type in the admin password you set when you started up Tails.
Set the correct time, region and city.
Click Lock, exit Settings and wait for the system time to update in the top panel.