Ubuntu 20.04 LTS (Focal) migration - Preparatory steps

On April 30, 2021, Ubuntu 16.04 LTS (Xenial) will reach End of Life. After this date, no new security updates to the base operating system will be provided. It is therefore of critical importance for the security of all SecureDrop instances to upgrade to Ubuntu 20.04 LTS (Focal) before April 30.

Important

For security reasons, the Source Interface will automatically be disabled on SecureDrop servers running Ubuntu 16.04 after April 30, 2021.

Support for Ubuntu 20.04 LTS (which will receive security updates until April 30, 2025) will be included in SecureDrop 1.8.0, scheduled to be released on March 9, 2021. Please do not attempt to upgrade to Ubuntu 20.04 before then. The migration to Ubuntu 20.04 will require a reinstall from a backup.

We recommend that you plan a two day maintenance window between March 9 and April 30 to back up your instance, perform the migration, and test your instance once it is migrated.

Note

If you are running hardware that is not currently listed in our hardware recommendations, we recommend that you also plan a hardware refresh as part of this migration. This has the following benefits:

  • It ensures that all system components will continue to receive security updates.
  • It reduces the risk of hardware compatibility issues with future releases of SecureDrop.
  • It will allow you to keep your current installation online during much of the two-day maintenance window.

If you have a support agreement with Freedom of the Press Foundation, please coordinate your maintenance window with us, so we can ensure that our team can provide support in a timely manner. In any event, please do not hesitate to contact us for assistance.

Before the two-day maintenance window, we recommend completing the preparatory steps below.

Check your SecureDrop version (servers)

To check your SecureDrop server version, load the .onion address of your Source Interface in Tor Browser. The version number will be in the footer. It should currently be 1.7.1.

If you have SSH access to the servers, you can also check the application version from your Admin Workstation by running this command in a terminal:

ssh app apt-cache policy securedrop-app-code

SecureDrop servers are updated automatically with the latest release version. If your servers are running an old version, this indicates a major configuration problem, and you may need to reinstall SecureDrop. In that case, please contact us for assistance.

Check your SecureDrop version (workstations)

  1. (Recommended) Back up your Admin Workstation using the process described here: Back up the Workstations.

  2. Boot your Admin Workstation and wait for the Tails welcome screen to appear.

  3. Unlock the persistent volume and configure an administrator password, then start Tails.

  4. Connect to the Internet and follow all graphical prompts to complete pending updates.

  5. Compare the version shown on the About screen (Applications ▸ Tails ▸ About Tails) with the version indicated on the Tails website. If the installed Tail version is outdated, follow our guide to updating Tails USBs.

  6. Run the command git status in the ~/Persistent/securedrop directory. The output should include the following text:

    HEAD detached at <version>
    

    where <version> is the version of the workstation code that is installed. If the Admin Workstation is at 1.7.1, it is up-to-date.

  7. If your SecureDrop code is outdated, follow our upgrade guide to perform a manual update. If that fails, please contact us for assistance.

  8. Repeat this process for all Admin Workstations and Journalist Workstations.

Note

If your Admin Workstation is in an unrecoverable state, you can follow our instructions to rebuild an Admin Workstation.

Verify SSH access

Start up your Admin Workstation (with persistent storage unlocked) and run the following commands in a terminal:

ssh app hostname     # command output should be 'app'
ssh mon hostname     # command output should be 'mon'

If you are having trouble accessing the servers via SSH, try the following:

  • create a new Tor network circuit by disconnecting and reconnecting your Internet link, and repeat the check
  • run the ./securedrop-admin tailsconfig command and repeat the check
  • verify that the Source and Journalist Interfaces are available via their desktop shortcuts
  • verify that the Application and Monitor Servers are up
  • contact us for assistance.

Migrate to v3 onion services

If you are still running v2 onion services, you must migrate to v3 to keep your instance running. Because this is a complex configuration change in its own right, we strongly recommend completing it well before the Ubuntu 20.04 migration. See our v3 upgrade guide for details.

Back up your Application Server

  1. (Recommended) In coordination with your journalist team, delete any previously-downloaded submissions and sources via the Journalist Interface.

    Note

    Deleting old submissions is a good security practice. It also helps to control the size of backups, which are transferred to the Admin Workstation over the Tor network.

  2. Run the following commands in a terminal on your Admin Workstation:

cd ~/Persistent/securedrop
./securedrop-admin backup

Once the command is completed, you will find the backup files in the ~/Persistent/securedrop/install_files/ansible-base directory.

  1. (Recommended) Copy the backup files to an encrypted volume on a separate USB stick.

For more information on the backup process, see Backup, Restore, Migrate.

Contact us

If you have questions or comments regarding the coming upgrade to Ubuntu 20.04 LTS or the preparatory procedure outlined above, please don’t hesitate to reach out: