Generate the Submission Key

When a document or message is submitted to SecureDrop by a source, it is automatically encrypted with the Submission Key. The private part of this key is only stored on the Secure Viewing Station which is never connected to the Internet. SecureDrop submissions can only be decrypted and read on the Secure Viewing Station.

We will now generate the Submission Key. If you aren’t still logged into your Secure Viewing Station from the previous step, boot it using its Tails USB stick, with persistence enabled.

Important

Do not follow these steps before you have fully configured the Secure Viewing Station according to the instructions. The private key you will generate in the following steps is one of the most important secrets associated with your SecureDrop installation. This procedure is intended to ensure that the private key is protected by the air-gap throughout its lifetime.

Create the Key

  1. Navigate to Applications ▸ System Tools ▸ Terminal to open a terminal Terminal.

  2. In the terminal, run gpg --full-generate-key:

    GPG generate key

  3. When it says Please select what kind of key you want, choose “(1) RSA and RSA (default)”.

  4. When it asks What keysize do you want?, type 4096.

  5. When it asks Key is valid for?, press Enter. This means your key does not expire.

  6. It will let you know that this means the key does not expire at all and ask for confirmation. Type y and hit Enter to confirm.

    GPG key options

  7. Next it will prompt you for user ID setup. Use the following options:

    • Real name: “SecureDrop”

    • Email address: leave this field blank

    • Comment: [Your Organization's Name] SecureDrop Submission Key

  8. GPG will confirm these options. Verify that everything is written correctly. Then type O for (O)kay and hit enter to continue:

    OK to generate

  9. A box will pop up (twice) asking you to type a passphrase. Since the key is protected by the encryption on the Tails persistent volume, it is safe to simply click OK without entering a passphrase.

  10. The software will ask you if you are sure. Click Yes, protection is not needed.

  11. Wait for the key to finish generating.

Export the Submission Public Key

Navigate to Applications ▸ Accessories ▸ Kleopatra to open a graphical interface to manage GPG keys. Once Kleopatra opens you will find a list of keys, including the SecureDrop Submission Key you just created.

Click to select the key, then click the “Export…” button in the toolbar above.

My Keys

Save the key to the Transfer Device by changing the location to /media/amnesia/Transfer Device, then set the filename to SecureDrop.asc. Once that is set, click the Save button to finish exporting the key to the transfer device.

Note

This is the public key only.

Export Key

After exporting the public key, you will be returned back to the list of keys. You’ll need to provide the fingerprint of the Submission Key during the installation. Go ahead and double-click on the Submission Key, then write down the 40 hexadecimal digits under Fingerprint.

Fingerprint

Note

Your fingerprint will be different from the one in the example screenshot.

At this point, you are done with the Secure Viewing Station for now. You can shut down Tails, grab the Admin Workstation Tails USB, and move over to your regular workstation.