Upgrade from 0.3.x to 0.4.x

Beginning with SecureDrop 0.4, the use of Tails 3 is required. SecureDrop 0.4 included substantial changes to the Admin tooling used for managing the configuration for the Application and Monitor Servers, and modifies the location of the configuration on Admin Workstation to prevent conflicts in the future.

Note

All Admin and Journalist Workstations must be upgraded to Tails 3 for use with SecureDrop 0.4.x. Follow the Upgrade Tails from 2.x to 3.x guide for detailed instructions on upgrading if you have not already done so.

The steps below should be performed on both the Admin and all Journalist Workstations associated with your SecureDrop instance. You do not need to run these steps on the Secure Viewing Station.

Pull the latest release

Open a Terminal and navigate to your SecureDrop directory.

cd ~/Persistent/securedrop

Stash your local configuration, fetch the latest code, and verify the tag for the latest release (0.4.1):

git stash save "site specific configs"
git fetch
git tag -v 0.4.1

The output of the above commands should include Good signature from "SecureDrop Release Signing Key". If it does not, please contact us immediately at support@freedom.press.

Note

You may also see output from GPG warning you that the key is not certified with a trusted signature. This means that there is not a trust path to the release signing key. As long as you see the fingerprint 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77 displayed and the signature verifies as described above then you can proceed safely.

Once you’ve verified the latest release, check it out, then pop your local configuration back into place:

git checkout 0.4.1
git stash pop

Upgrade the Tails Persistence Configuration

SecureDrop 0.4.x provides more convenient tooling for configuring the ATHS info required to access the Journalist Interface. Run the following commands to install the required packages and set up the access to your SecureDrop instance.

./securedrop-admin setup
./securedrop-admin tailsconfig

Clean up old version-controlled site config

The tailsconfig task copied the site-specific configuration for your SecureDrop instance to a new location: install_files/ansible-base/group_vars/all/site-specific. Beginning with 0.4, manual edits to the inventory are no longer required, as the ATHS information is read automatically from the app-ssh-aths and mon-ssh-aths files. Therefore you should permanently store any site-specific modifications:

git stash save "old site-specific configs"

During subsequent upgrades to the SecureDrop Admin configuration, you will no longer need to perform git stash and git pop as described above.

Verify the Upgrades

Verify the Journalist Workstation and SVS USB Drives Are Successfully Updated

After you upgrade your Journalist Workstation and Secure Viewing Station, do the following to make sure they were upgraded successfully.

  1. Submit a test document to the source interface.
  2. Log in to the journalist interface.
  3. Download the test document.
  4. Transfer the test document over to the SVS.
  5. Decrypt the test document.
  6. Delete the submission.

If you are able to successfully download and decrypt your test submission, then your upgrade was successful!

Verify the Admin Workstation USB Drive Was Successfully Updated

After you upgrade your Admin Workstation, ensure that you are able to SSH into both servers. Remember you can use the following shortcuts:

ssh mon
ssh app