Generate the Submission Key

When a document or message is submitted to SecureDrop by a source, it is automatically encrypted with the Submission Key. The private part of this key is only stored on the Secure Viewing Station which is never connected to the Internet. SecureDrop submissions can only be decrypted and read on the Secure Viewing Station.

We will now generate the Submission Key. If you aren’t still logged into your Secure Viewing Station from the previous step, boot it using its Tails USB stick, with persistence enabled.


Do not follow these steps before you have fully configured the Secure Viewing Station according to the instructions. The private key you will generate in the following steps is one of the most important secrets associated with your SecureDrop installation. This procedure is intended to ensure that the private key is protected by the air-gap throughout its lifetime.

Create the Key

  1. Navigate to Applications ▸ System Tools ▸ Terminal to open a terminal Terminal.

  2. In the terminal, run gpg --full-generate-key:

    GPG generate key

  3. When it says Please select what kind of key you want, choose “(1) RSA and RSA (default)”.

  4. When it asks What keysize do you want?, type 4096.

  5. When it asks Key is valid for?, press Enter. This means your key does not expire.

  6. It will let you know that this means the key does not expire at all and ask for confirmation. Type y and hit Enter to confirm.

    GPG key options

  7. Next it will prompt you for user ID setup. Use the following options:
    • Real name: “SecureDrop”

    • Email address: leave this field blank

    • Comment: [Your Organization's Name] SecureDrop Submission Key

  8. GPG will confirm these options. Verify that everything is written correctly. Then type O for (O)kay and hit enter to continue:

    OK to generate

  9. A box will pop up (twice) asking you to type a passphrase. Since the key is protected by the encryption on the Tails persistent volume, it is safe to simply click OK without entering a passphrase.

  10. The software will ask you if you are sure. Click Yes, protection is not needed.

  11. Wait for the key to finish generating.

Export the Submission Public Key

Navigate to Applications ▸ Utilities ▸ Passwords and Keys to open a graphical interface to manage GPG keys. Click the clipboard icon gpgApplet in the top right corner and select “Manage Keys”. Click “GnuPG keys” and you should see the key that you just generated.

My Keys

  1. Select the key you just generated and click “File” then “Export”.

  2. Save the key to the Transfer Device as SecureDrop.asc, and make sure you change the file type from “PGP keys” to “Armored PGP keys” which can be switched at the bottom of the Save window. Click the ‘Export’ button after switching to armored keys.


This is the public key only.

Export Key

Export Key 2

You’ll need to provide the fingerprint of this new key during the installation. Double-click on the newly generated key and change to the Details tab. Write down the 40 hexadecimal digits under Fingerprint.



Your fingerprint will be different from the one in the example screenshot.

At this point, you are done with the Secure Viewing Station for now. You can shut down Tails, grab the Admin Workstation Tails USB and move over to your regular workstation.