Passphrases

Each individual with a role (admin or journalist) at a given SecureDrop instance must generate and retain a number of strong, unique passphrases. The document is an overview of the passphrases, keys, two-factor secrets, and other credentials that are required for each role in a SecureDrop installation.

Note

We encourage each end user to use KeePassX, an easy-to-use password manager included in Tails, to generate and retain strong and unique passphrases. We have created a template password database that you can use to get started. For more information, see the Tails Guide.

Admin

The admin will be using the Admin Workstation with Tails to connect to the App Server and the Monitor Server using Tor and SSH. The tasks performed by the admin will require the following set of passphrases:

  • A password for the persistent volume on the Admin Live USB.
  • A master password for the KeePassX password manager, which unlocks passphrases to:
    • The App Server and the Monitor Server (required to be the same).
    • The network firewall.
    • The SSH private key and, if set, the key’s passphrase.
    • The GPG key that OSSEC will encrypt alerts to.
    • The admin’s personal GPG key.
    • The credentials for the email account that OSSEC will send alerts to.
    • The Hidden Services values required to connect to the App and Monitor Server.

The admin will also need to have an Android or iOS device with the Google Authenticator app installed. This means the admin will also have the following two credentials:

  • The secret code for the App Server’s two-factor authentication.
  • The secret code for the Monitor Server’s two-factor authentication.

Journalist

The journalist will be using the Journalist Workstation with Tails to connect to the Document Interface. The tasks performed by the journalist will require the following set of passphrases:

  • A master password for the persistent volume on the Tails device.
  • A master password for the KeePassX password manager, which unlocks passphrases to:
    • The Hidden Service value required to connect to the Document Interface.
    • The Document Interface.
    • The journalist’s personal GPG key.

The journalist will also need to have a two-factor authenticator, such as an Android or iOS device with Google Authenticator installed, or a YubiKey. This means the journalist will also have the following credential:

  • The secret code for the Document Interface’s two-factor authentication.

Secure Viewing Station

The journalist will be using the Secure Viewing Station with Tails to decrypt and view submitted documents. The tasks performed by the journalist will require the following passphrases:

  • A master password for the persistent volume on the Tails device.

The backup that is created during the installation of SecureDrop is also encrypted with the application’s GPG key. The backup is stored on the persistent volume of the Admin Live USB.