Upgrade from 0.11.1 to 0.12.0

Important

If you installed SecureDrop before the release of SecureDrop 0.12.0, the operating system on your SecureDrop servers is now out of date and must be upgraded before April 30, 2019. See Upgrading to Ubuntu 16.04 below.

Updating the Tails Workstations

If you have not already done so, we recommend that you update all Tails drives to version 3.12.1, which was released on February 13, 2019. Follow the Tails graphical prompts on your workstations to perform this upgrade.

On a subsequent boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. Choose “Update Now” on each of the workstations:

../_images/securedrop-updater.png

Please note that this only updates the SecureDrop code on your Tails workstations. Tails upgrades must be performed separately.

Note

The graphical updater uses keyservers to obtain the release signing key. If the graphical updater fails, it may be due to a keyserver not being reachable. You can try again, or you can perform the manual procedure outlined below (you may have to run the --recv-key command repeatedly for it to work).

If you don’t see a graphical updater, you may be running an older version of the SecureDrop code on your workstation (earlier than 0.7.0). You can update as follows:

cd ~/Persistent/securedrop
git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.12.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint above matches what on the screen of your workstation. If it does, you can check out the new release:

git checkout 0.12.0

Important

If you do see the warning “refname ‘0.12.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted).

Finally, run the following commands:

./securedrop-admin setup
./securedrop-admin tailsconfig

Troubleshooting Kernel Issues

As part of the the automatic update to SecureDrop 0.12.0, the default Linux kernel will change to the latest released kernel (version 4.4.167).

We have tested this kernel extensively against recommended hardware and other common configurations. Please consult our kernel troubleshooting guide for instructions on how to compare the differences between kernel versions and how to roll back to an earlier version if necessary.

Upgrading to Ubuntu 16.04

SecureDrop installations set up prior to the release of SecureDrop 0.12.0 use Ubuntu 14.04 (Trusty) as the base operating system. Trusty was released in April 2014, and as part of the standard Long Term Support (LTS) cycle, it will no longer receive security updates after April 30, 2019.

After the 0.12.x series, updates to SecureDrop itself will only be issued to systems running Ubuntu 16.04.

It is therefore of critical importance that you upgrade your servers to Ubuntu 16.04 (Xenial). Once you are running SecureDrop 0.12.0, you are ready to upgrade. However, we recommend that you wait until at least March 6 before you perform the upgrade, to allow for changes to this documentation based on the first set of assisted upgrades we will perform.

Before then, we strongly recommend following the steps outlined in Ubuntu 16.04 LTS (Xenial) migration - Preparatory steps.

As part of planning the upgrade, choose which upgrade method you want to follow:

  • Upgrading in place. This method can be performed remotely without physical access to the servers. It requires significant downtime, and you may encounter upgrade-related prompts specific to your configuration which we have not documented, especially if you are using hardware not in our set of hardware recommendations.
  • Backing up your data and restoring it to a new installation. This method requires that you have physical access to the servers and hardware firewall you wish to use for the new installation. If you perform the new installation against redundant hardware, you can minimize downtime by following this method.

Getting Support

Should you require further support with your SecureDrop installation or the upgrade to Ubuntu 16.04, we are happy to help!