Backup the Workstations¶
This workflow will create a single USB drive with the data backed up from all Tails drives. If instead you’d like to create a single duplicate Tails drive, you should follow the official documentation maintained by the Tails project.
Now that you have set up the Secure Viewing Station, the Admin Workstation, and your Journalist Workstations, it is important you make a backup. Your USB drive may wear out, a journalist might lose their drive, or something completely unexpected may happen.
In all these cases, it is useful to have a backup of your data for each device.
What You Need¶
- You will need your existing SecureDrop Tails USB sticks (Admin Workstation, Journalist Workstation, and Secure Viewing Station).
- You will also need an airgapped machine to perform the backups. The Secure Viewing Station may be used for this task.
- You will also need a “primary” Tails USB, which we will use to perform the backups.
- You also need at least one USB drive to backup the data from your current SecureDrop Tails USB sticks.
An airgapped machine (such as the Secure Viewing Station) is required in order to perform these backups safely. By isolating the machine from all network access, you reduce the exposure of sensitive data to networked computers, thereby reducing the threat of compromise by adversaries who wish to gain access to your SecureDrop instance.
The airgapped machine should have 3 USB ports, so you can plug in the primary Tails USB drive, the Tails drive you want to backup, and the backup drive at the same time. If you don’t have 3 USB ports available you can use a USB hub which may reduce transfer speeds.
The steps in this section should be performed for each Secure Viewing Station, Journalist Workstation, and Admin Workstation USB drive in your organization.
Preparing the Backup Device¶
First you must boot the primary Tails USB drive. Ensure you set an administrator password set at the login screen. Then navigate to Applications ▸ Utilities ▸ Disks.
Insert the USB drive you wish to use as a backup drive.
Select the drive from the list of drives in the left column.
Click the button with the two cogs and click Format Partition….
Fill out the form as follows:
- Erase: Don’t overwrite existing data (Quick)
- Type: Encrypted, compatible with Linux systems (LUKS + Ext4)
- Name: Backup
Since this will serve as a long-term backup, make sure to use a strong passphrase.
A dialog box will appear asking you Are you sure you want to format the volume? appears, click Format.
Once completed, you will see two partitions appear:
Now that you made the backup device, plug in the device you want to backup. Then, browse to Places ▸ Computer:
Click on the disk on the left side column. Fill in the passphrase you set up when you created your Tails devices.
You should now have both the Backup and TailsData partition to be backed up mounted and ready to access.
Open a terminal with administrative privileges by going to Applications ▸ System Tools ▸ Root Terminal.
If you can’t find the “Root Terminal” window, it might be because an administrator passphrase wasn’t set when you logged in to Tails. If that’s the case, you’ll need to restart Tails and set one at the login screen.
Next, create a directory on the Backup USB for the device to be backed up - the
command below creates a directory named
Then, copy the contents of the device’s persistent volume to the directory using
rsync -a --info=progress2 --no-specials --no-devices \ /media/amnesia/TailsData/ /media/amnesia/Backup/admin-backup
Once complete, unmount the TailsData partition.
Repeat these steps for every device, making a new folder on the backup device for each device you back up.
Finally, once you have completed the steps described in this section for each USB drive, unmount the Backup partition and store the drive somewhere safely.