Upgrade from 0.6.x to 0.7.x

Updating the Tails Workstations

All Tails drives should be updated to Tails 3.7, which is scheduled to be released on May 9, 2018. Follow the graphical prompts on your workstations to perform this upgrade.

For the Journalist Workstations and the Admin Workstation, you will also need to update the SecureDrop code (which configures the workstation environment, such as the SecureDrop shortcuts on the Tails desktop). First, ensure that you have set a Tails administrator password. Then, on the workstation to be updated, perform the following steps in a terminal:

cd ~/Persistent/securedrop
git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.7.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint above matches what you see on the screen of your Admin Workstation. If it does, you can check out the new release:

git checkout 0.7.0

Finally, run the following commands:

./securedrop-admin setup
./securedrop-admin tailsconfig

Going forward, the SecureDrop Workstation Updater user interface will appear when updates are needed upon boot of a workstation. Users only need to click “Update Now” instead of performing the steps described above. The SecureDrop Workstation Updater looks as follows:

SecureDrop updater

Configuring SSH Over the Local Network

SecureDrop 0.7.0 ships with the option to SSH into the SecureDrop servers over the local network instead of the Tor network. Please see the detailed documentation for this feature.

Configuring Email Alerts About New Submissions

SecureDrop 0.7.0 allows you to configure an encrypted daily email alert informing you about whether or not there are new SecureDrop submissions. In order to configure this feature, you will need an email address that should receive alerts, a public GPG key to use for that address, and the fingerprint for that key.

Note that you cannot configure multiple email addresses. If you would like the alerts to be sent to multiple users, you will have to set up a single email alias for this purpose, and all recipients will need to have access to a shared GPG key.

To set up the alerts, on your Admin Workstation, copy the public key (e.g., journalist.pub) to ~/Persistent/securedrop/install_files/ansible-base/.

Within ~/Persistent/securedrop, run ./securedrop-admin sdconfig and follow the prompts. For this functionality, you will be prompted for the following values (default is none, as the functionality is disabled by default):

  • Journalist public key (e.g., journalist.pub)
  • Journalist GPG key fingerprint
  • Journalist email address

Run ./securedrop-admin install and wait for it to complete. The configured email address should now receive an encrypted notification email every 24 hours.

Configuring Server Reboot Time

SecureDrop 0.7.0 lets you configure the time of day (full hour) at which the SecureDrop servers are rebooted.

To do so, run ./securedrop-admin sdconfig on your Admin Workstation within ~/Persistent/securedrop, and follow the prompts. For this functionality, you will be prompted for “Daily reboot time of the server (24-hour clock)”. Specify the desired local time, e.g., type “18” for 6 PM. Then run ./securedrop-admin install to apply the change to the servers.

Getting Support

Should you require further support with your SecureDrop installation or upgrade, we are happy to help!