Virtual Environments: Admin Workstation¶
SecureDrop uses Tails for the Admin Workstation environment. In order to perform a fully virtualized production install, you will need to first set up Tails in a virtual machine.
Note
For the instructions that follow, you need to download the most recent Tails ISO from the Tails website.
macOS¶
For the macOS instructions, you will use VirtualBox to create a Tails VM that
you can use to install SecureDrop on app-prod
and mon-prod
.
Create a VirtualBox VM¶
- Open VirtualBox
- Click New to create a new VM with the following options:
- Name: “Admin Workstation”
- Type: “Linux”
- Version: “Debian (64-bit)”
Note
You may call the VM a different name, but you must replace “Admin Workstation” later on in these instructions with the name you select.
- Click Continue.
- At the prompt, configure at least 2048 MB of RAM. Click Continue.
- Leave the default Create a virtual hard disk now selected and click Create. All the default options (Hard disk file type: VDI (VirtualBox Disk Image) and Dynamically allocated) are fine. Click Create.
Booting Tails¶
Now that the VM is set up, you are ready to boot to Tails. Select the new VM in the VirtualBox sidebar, and click Settings.
Click Storage.
Click Empty under Controller: IDE.
Click the CD icon next to Optical Drive: and click Choose Virtual Optical Disk File.
Navigate to the Tails ISO to boot from.
Click General then Advanced.
Under Shared Clipboard select Bidirectional instead of Disabled. This option will enable you to transfer text from your host to the Tails VM, which we will use later on in these steps.
Note
Alternatively you can open these docs in Tor Browser in Tails. This will obviate the need to copy and paste between the guest and host OS.
Install Tails¶
Next you will install Tails onto the Virtual Hard Disk Image. Start the VM, boot to Tails, and enter an administration password and start Tails.
Note
For all the instructions that follow, you will need to configure an administration password each time you boot Tails.
- Copy the following patch and save it as
installer.patch
in a folder in your Tails VM:
--- /usr/lib/python2.7/dist-packages/tails_installer/creator.py 2018-01-22 14:59:40.000000000 +0100
+++ /usr/lib/python2.7/dist-packages/tails_installer/creator.py.mod 2018-03-05 05:15:00.000000000 -0800
@@ -595,16 +595,6 @@ class LinuxTailsInstallerCreator(TailsInstallerCreator):
self.log.debug('Skipping non-removable device: %s'
% data['device'])
- # Only pay attention to USB and SDIO devices, unless --force'd
- iface = drive.props.connection_bus
- if iface != 'usb' and iface != 'sdio' \
- and self.opts.force != data['device']:
- self.log.warning(
- "Skipping device '%(device)s' connected to '%(interface)s' interface"
- % {'device': data['udi'], 'interface': iface}
- )
- continue
-
# Skip optical drives
if data['is_optical'] and self.opts.force != data['device']:
self.log.debug('Skipping optical device: %s' % data['device'])
--- /usr/lib/python2.7/dist-packages/tails_installer/gui.py 2018-01-22 14:59:40.000000000 +0100
+++ /usr/lib/python2.7/dist-packages/tails_installer/gui.py.mod 2018-03-05 05:15:00.000000000 -0800
@@ -568,16 +568,6 @@ class TailsInstallerWindow(Gtk.ApplicationWindow):
self.devices_with_persistence.append(info['parent'])
continue
pretty_name = self.get_device_pretty_name(info)
- # Skip devices with non-removable bit enabled
- if not info['removable']:
- message =_('The USB stick "%(pretty_name)s"'
- ' is configured as non-removable by its'
- ' manufacturer and Tails will fail to start on it.'
- ' Please try installing on a different model.') % {
- 'pretty_name': pretty_name
- }
- self.status(message)
- continue
# Skip too small devices, but inform the user
if not info['is_device_big_enough_for_installation']:
message =_('The device "%(pretty_name)s"'
- Now run the following two commands in a Terminal in your Tails VM:
sudo patch -p0 -d/ < installer.patch
sudo /usr/bin/python -tt /usr/bin/tails-installer -u -n --clone -P -m -x
- The Tails Installer will appear. Click Install Tails.
- Once complete, navigate to Applications, Utilities and open Disks.
- Click on the disk named “Tails” and click the Play icon to mount the disk.
- Next open
/media/amnesia/Tails/syslinux/live*.cfg
and delete all instances oflive-media=removable
. - Shut down the VM.
Boot to Tails Hard Drive Install¶
Now we will remove the CD and boot to the Tails we just installed on our virtual hard drive. From macOS you should:
- Click the VM in the sidebar of VirtualBox and click Settings.
- Click Storage and select the Tails .iso under Controller: IDE.
- Click the CD icon, then Remove Disk from Virtual Drive.
- Click Ok.
- Start the VM.
Configure Persistence¶
Now in your booted Tails VM you should:
- Configure an admin password when prompted.
- Copy the following patch to the Tails VM and save it as
persistence.patch
:
--- /usr/share/perl5/Tails/Persistence/Setup.pm 2017-06-30 09:56:25.000000000 +0000
+++ /usr/share/perl5/Tails/Persistence/Setup.pm.mod 2017-07-20 07:17:48.472000000 +0000
@@ -404,19 +404,6 @@
my @checks = (
{
- method => 'drive_is_connected_via_a_supported_interface',
- message => $self->encoding->decode(gettext(
- "Tails is running from non-USB / non-SDIO device %s.")),
- needs_drive_arg => 1,
- },
- {
- method => 'drive_is_optical',
- message => $self->encoding->decode(gettext(
- "Device %s is optical.")),
- must_be_false => 1,
- needs_drive_arg => 1,
- },
- {
method => 'started_from_device_installed_with_tails_installer',
message => $self->encoding->decode(gettext(
"Device %s was not created using Tails Installer.")),
- To apply the patch, from the Terminal run:
sudo patch -p0 -d/ < persistence.patch
- Navigate to Applications then Tails and click Configure persistent volume. Configure a persistent volume enabling all persistence options.
Allow the Guest to Create Symlinks¶
Finally, you’ll need to allow the guest to create symlinks, which are disabled by default in VirtualBox.
Shut down the Tails VM, and in your host run:
VBoxManage setextradata "Admin Workstation" VBoxInternal2/SharedFoldersEnableSymlinksCreate/securedrop 1
Note
If you named your Tails VM something other than “Admin Workstation”,
you can run VBoxManage list vms
to get the name of the Virtual Machine.
Finally, restart VirtualBox.
Configure Networking¶
In order to communicate with the server VMs, you’ll need to attach this
virtualized Admin Workstation to the securedrop
network.
Warning
If you named the SecureDrop repository something other than
securedrop
, you should connect your VM to the network of the same name.
With the Admin Workstation VM turned off, you should:
- Click on the VM in VirtualBox.
- Click Settings.
- Click Network and then Adapter 2.
- Enable this network adapter and attach it to the Internal Network called
securedrop
. - Click OK and start the VM.
Now you should be able to boot to Tails, decrypt the Persistent volume,
navigate to ~/Persistent/securedrop
and proceed with the production
install.
Linux¶
For the Linux instructions, you will use KVM/libvirt to create a Tails VM that
you can use to install SecureDrop on app-prod
and mon-prod
.
Create a VM using virt-manager¶
Follow the Tails virt-manager instructions for running Tails from a USB image. Then proceed with booting to the USB drive, and configure Persistent Storage.
We recommend cloning the SecureDrop repository into the persistent volume for testing and development, instead of attempting to mount a folder from the host operating system.