Generate the SecureDrop Submission Key

When a document or message is submitted to SecureDrop by a source, it is automatically encrypted with the SecureDrop Submission Key. The private part of this key is only stored on the Secure Viewing Station which is never connected to the Internet. SecureDrop submissions can only be decrypted and read on the Secure Viewing Station.

We will now generate the SecureDrop Submission Key on the Secure Viewing Station.

Correct the system time

After booting up Tails on the Secure Viewing Station, you will need to manually set the system time before you create the SecureDrop Submission Key. Be sure to enable admin privileges before you do this. In Tails 3.x, you enable admin privileges by clicking the + button under Additional Settings, then navigating to Administration Password. Enter an administration password and then click Start Tails.

To set the system time:

  1. Click the upper right down arrow in the menu bar and select the wrench icon: select settings
  2. Then click Date & Time.
  3. Click Unlock. Type in the administrator password you set when you started up Tails.
  4. Set the correct time, region and city.
  5. Click Lock, exit Settings and wait for the system time to update in the top panel.

Once that’s done, follow the steps below to create the key.

Create the key

  1. Navigate to Applications ▸ Terminal to open a terminal Terminal.

  2. In the terminal, run gpg --full-generate-key:

    GPG generate key

  3. When it says Please select what kind of key you want, choose “(1) RSA and RSA (default)”.

  4. When it asks What keysize do you want?, type 4096.

  5. When it asks Key is valid for?, press Enter. This means your key does not expire.

  6. It will let you know that this means the key does not expire at all and ask for confirmation. Type y and hit Enter to confirm.

    GPG key options

  7. Next it will prompt you for user ID setup. Use the following options:
    • Real name: “SecureDrop”
    • Email address: leave this field blank
    • Comment: [Your Organization's Name] SecureDrop Submission Key
  8. GPG will confirm these options. Verify that everything is written correctly. Then type O for (O)kay and hit enter to continue:

    OK to generate

  9. A box will pop up asking you to type a passphrase. Since the key is protected by the encryption on the Tails persistent volume, it is safe to simply click OK without entering a passphrase.

  10. The software will ask you if you are sure. Click Yes, protection is not needed.

  11. Wait for the key to finish generating.

Export the public key

To manage GPG keys using the graphical interface (a program called Seahorse), click the clipboard icon gpgApplet in the top right corner and select “Manage Keys”. Click “GnuPG keys” and you should see the key that you just generated.

My Keys

  1. Select the key you just generated and click “File” then “Export”.
  2. Save the key to the Transfer Device as SecureDrop.pub.asc, and make sure you change the file type from “PGP keys” to “Armored PGP keys” which can be switched at the bottom of the Save window. Click the ‘Export’ button after switching to armored keys.

Note

This is the public key only.

Export Key

Export Key 2

You’ll need to provide the fingerprint of this new key during the installation. Double-click on the newly generated key and change to the Details tab. Write down the 40 hexadecimal digits under Fingerprint.

Fingerprint

Note

Your fingerprint will be different from the one in the example screenshot.

At this point, you are done with the Secure Viewing Station for now. You can shut down Tails, grab the admin Tails USB and move over to your regular workstation.