Virtual Environments: Admin Workstation¶
SecureDrop uses Tails for the Admin Workstation environment. In order to perform a fully virtualized production install, you will need to first set up Tails in a virtual machine.
Note
For the instructions that follow, you need to download the most recent Tails ISO from the Tails website.
macOS¶
For the macOS instructions, you will use VirtualBox to create a Tails VM that
you can use to install SecureDrop on app-prod
and mon-prod
.
Create a VirtualBox VM¶
- Open VirtualBox
- Click New to create a new VM with the following options:
- Name: “Admin Workstation”
- Type: “Linux”
- Version: “Debian (64-bit)”
Note
You may call the VM a different name, but you must replace “Admin Workstation” later on in these instructions with the name you select.
- Click Continue.
- At the prompt, configure at least 2048 MB of RAM. Click Continue.
- Leave the default Create a virtual hard disk now selected and click Create. All the default options (Hard disk file type: VDI (VirtualBox Disk Image) and Dynamically allocated) are fine. Click Create.
Booting Tails¶
Now that the VM is set up, you are ready to boot to Tails. Select the new VM in the VirtualBox sidebar, and click Settings.
Click Storage.
Click Empty under Controller: IDE.
Click the CD icon next to Optical Drive: and click Choose Virtual Optical Disk File.
Navigate to the Tails ISO to boot from.
Click General then Advanced.
Under Shared Clipboard select Bidirectional instead of Disabled. This option will enable you to transfer text from your host to the Tails VM, which we will use later on in these steps.
Note
Alternatively you can open these docs in Tor Browser in Tails. This will obviate the need to copy and paste between the guest and host OS.
Install Tails¶
Next you will install Tails onto the Virtual Hard Disk Image. Start the VM, boot to Tails, and enter an administration password and start Tails.
Note
For all the instructions that follow, you will need to configure an administration password each time you boot Tails.
- Copy the following patch and save it as
installer.patch
in a folder in your Tails VM:
--- /usr/lib/python2.7/dist-packages/tails_installer/creator.py 2018-01-22 14:59:40.000000000 +0100
+++ /usr/lib/python2.7/dist-packages/tails_installer/creator.py.mod 2018-03-05 05:15:00.000000000 -0800
@@ -595,16 +595,6 @@ class LinuxTailsInstallerCreator(TailsInstallerCreator):
self.log.debug('Skipping non-removable device: %s'
% data['device'])
- # Only pay attention to USB and SDIO devices, unless --force'd
- iface = drive.props.connection_bus
- if iface != 'usb' and iface != 'sdio' \
- and self.opts.force != data['device']:
- self.log.warning(
- "Skipping device '%(device)s' connected to '%(interface)s' interface"
- % {'device': data['udi'], 'interface': iface}
- )
- continue
-
# Skip optical drives
if data['is_optical'] and self.opts.force != data['device']:
self.log.debug('Skipping optical device: %s' % data['device'])
--- /usr/lib/python2.7/dist-packages/tails_installer/gui.py 2018-01-22 14:59:40.000000000 +0100
+++ /usr/lib/python2.7/dist-packages/tails_installer/gui.py.mod 2018-03-05 05:15:00.000000000 -0800
@@ -568,16 +568,6 @@ class TailsInstallerWindow(Gtk.ApplicationWindow):
self.devices_with_persistence.append(info['parent'])
continue
pretty_name = self.get_device_pretty_name(info)
- # Skip devices with non-removable bit enabled
- if not info['removable']:
- message =_('The USB stick "%(pretty_name)s"'
- ' is configured as non-removable by its'
- ' manufacturer and Tails will fail to start on it.'
- ' Please try installing on a different model.') % {
- 'pretty_name': pretty_name
- }
- self.status(message)
- continue
# Skip too small devices, but inform the user
if not info['is_device_big_enough_for_installation']:
message =_('The device "%(pretty_name)s"'
- Now run the following two commands in a Terminal in your Tails VM:
sudo patch -p0 -d/ < installer.patch
sudo /usr/bin/python -tt /usr/bin/tails-installer -u -n --clone -P -m -x
- The Tails Installer will appear. Click Install Tails.
- Once complete, navigate to Applications, Utilities and open Disks.
- Click on the disk named “Tails” and click the Play icon to mount the disk.
- Next open
/media/amnesia/Tails/syslinux/live*.cfg
and delete all instances oflive-media=removable
. - Shut down the VM.
Boot to Tails Hard Drive Install¶
Now we will remove the CD and boot to the Tails we just installed on our virtual hard drive. From macOS you should:
- Click the VM in the sidebar of VirtualBox and click Settings.
- Click Storage and select the Tails .iso under Controller: IDE.
- Click the CD icon, then Remove Disk from Virtual Drive.
- Click Ok.
- Start the VM.
Configure Persistence¶
Now in your booted Tails VM you should:
- Configure an admin password when prompted.
- Copy the following patch to the Tails VM and save it as
persistence.patch
:
--- /usr/share/perl5/Tails/Persistence/Setup.pm 2017-06-30 09:56:25.000000000 +0000
+++ /usr/share/perl5/Tails/Persistence/Setup.pm.mod 2017-07-20 07:17:48.472000000 +0000
@@ -404,19 +404,6 @@
my @checks = (
{
- method => 'drive_is_connected_via_a_supported_interface',
- message => $self->encoding->decode(gettext(
- "Tails is running from non-USB / non-SDIO device %s.")),
- needs_drive_arg => 1,
- },
- {
- method => 'drive_is_optical',
- message => $self->encoding->decode(gettext(
- "Device %s is optical.")),
- must_be_false => 1,
- needs_drive_arg => 1,
- },
- {
method => 'started_from_device_installed_with_tails_installer',
message => $self->encoding->decode(gettext(
"Device %s was not created using Tails Installer.")),
- To apply the patch, from the Terminal run:
sudo patch -p0 -d/ < persistence.patch
- Navigate to Applications then Tails and click Configure persistent volume. Configure a persistent volume enabling all persistence options.
Allow the Guest to Create Symlinks¶
Finally, you’ll need to allow the guest to create symlinks, which are disabled by default in VirtualBox.
Shut down the Tails VM, and in your host run:
VBoxManage setextradata "Admin Workstation" VBoxInternal2/SharedFoldersEnableSymlinksCreate/securedrop 1
Note
If you named your Tails VM something other than “Admin Workstation”,
you can run VBoxManage list vms
to get the name of the Virtual Machine.
Finally, restart VirtualBox.
Configure Networking¶
In order to communicate with the server VMs, you’ll need to attach this
virtualized Admin Workstation to the securedrop
network.
Warning
If you named the SecureDrop repository something other than
securedrop
, you should connect your VM to the network of the same name.
With the Admin Workstation VM turned off, you should:
- Click on the VM in VirtualBox.
- Click Settings.
- Click Network and then Adapter 2.
- Enable this network adapter and attach it to the Internal Network called
securedrop
. - Click OK and start the VM.
Now you should be able to boot to Tails, decrypt the Persistent volume,
navigate to ~/Persistent/securedrop
and proceed with the production
install.
Linux¶
For the Linux instructions, you will use KVM/libvirt to create a Tails VM that
you can use to install SecureDrop on app-prod
and mon-prod
.
Create a libvirt VM¶
Follow the Tails virt-manager instructions for Running Tails from a virtual USB storage. After installing Tails on the removable USB device, shut down the VM and edit the boot options. You’ll need to manually enable booting from the USB device by checking the box labeled USB Disk 1.

Then proceed with booting to the USB drive, and configure a persistence volume.
Shared Folders¶
In order to mount the SecureDrop git repository as a folder inside the Tails persistence volume, you must add a filesystem via virt-manager.
- Choose View ▸ Details to edit the configuration of the virtual machine.
- Click on the Add Hardware button on the bottom of the left pane.
- Select Filesystem in the left pane.
- In the right pane, change the Mode to Mapped.
- In the right pane, change Source path to the path to the SecureDrop git repository on the host machine.
- In the right pane, change Target path to securedrop.
- Click Finish.

On the next VM boot, you will be able to mount the SecureDrop git repository from the host machine via:
mkdir -p ~/Persistent/securedrop
sudo mount -t 9p securedrop ~/Persistent/securedrop
You will need to run the mount
command every time you boot the VM.
By default only read operations are supported. In order to support modifying files
in the git repository, you will need to configure file ACLs.
On the host machine, from within the SecureDrop git repository, run:
make libvirt-share
All files will be created with mode 0600
and ownership libvirt-qemu:libvirt-qemu
.
You will need to modify the files manually on the host machine in order to commit them.