Upgrade from 1.6.0 to 1.7.0

Important

Please see the key reminders below regarding critical migrations of your SecureDrop servers that must be completed before April 30, 2021 to keep your instance operational.

Automatic server upgrades

As with previous releases, your servers will be upgraded to the latest version of SecureDrop automatically within 24 hours of the release.

Updating Workstations to SecureDrop 1.7.0

Using the graphical updater

On the next boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. You must have configured an administrator password on the Tails welcome screen in order to use the graphical updater.

Perform the update to 1.7.0 by clicking “Update Now”:

../_images/securedrop-updater.png

Performing a manual update

If the graphical updater fails and you want to perform a manual update instead, first delete the graphical updater’s temporary flag file, if it exists (the . before securedrop is not a typo):

rm ~/Persistent/.securedrop/securedrop_update.flag

This will prevent the graphical updater from attempting to re-apply the failed update and has no bearing on future updates. You can now perform a manual update by running the following commands:

cd ~/Persistent/securedrop
git fetch --tags
gpg --keyserver hkps://keys.openpgp.org --recv-key \
 "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 1.7.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint above matches what is on the screen of your workstation. If it does, you can check out the new release:

git checkout 1.7.0

Important

If you do see the warning “refname ‘1.7.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted).

Finally, run the following commands:

./securedrop-admin setup
./securedrop-admin tailsconfig

Upgrading Tails

If you have already upgraded your workstations to the Tails 4 series, follow the graphical prompts to update to the latest version.

Important

If you are still running Tails 3.x on any workstation, we urge you to update to the Tails 4 series as soon as possible. Tails 3.x is no longer receiving security updates, and is no longer supported by the SecureDrop team. Please see our instructions for upgrading to Tails 4.

These instructions will be removed from a future version of this documentation.

Backing Up the Tails Workstations

USB flash drives degrade over time and vary in quality. To ensure continued access to SecureDrop by administrators and journalists, we recommend backing up the Tails Workstations on the occasion of a new SecureDrop release, after you have completed the upgrade process for each drive.

You can use a single storage device for backups of multiple workstations. See our Workstation Backup Guide for more information.

Migration to v3 onion services

Support for v2 onion services is being phased out and will be completely removed as part of the transition to Ubuntu 20.04. If you are not already running v3 onion services (easily recognizable by their 56 character .onion addresses), please complete the migration at your earliest convenience to keep your instance running. See our upgrade guide for details.

Note

If you have previously disabled v2 onion services, due to a bug that was fixed in SecureDrop 1.7.0, SSH access via v2 onion services may still be enabled, and you may receive OSSEC alerts warning you that v2 onion services are still running.

To fully disable v2 onion services:

  1. Make sure that your Admin Workstation is up-to-date by following the earlier steps.
  2. Run ./securedrop-admin sdconfig from the ~/Persistent/securedrop directory and confirm that all configuration settings are correct. In particular, make sure that v2 onion services are disabled, and v3 onion services are enabled.
  3. Re-run the install playbook via ./securedrop-admin install.

We apologize for the inconvenience. Please contact us if you have any questions about this process.

Preparing for Ubuntu 20.04

The current server operating system, Ubuntu 16.04, will no longer receive security updates after April 30, 2021. Support for Ubuntu 20.04 is planned for the SecureDrop 1.8.0 release, scheduled for March 9, 2021. We recommend that you schedule a two-day maintenance window between March 9 and April 30.

Before then, we encourage you to take preparatory steps to ensure that the migration will go smoothly.

Getting Support

Should you require further support with your SecureDrop installation, we are happy to help!

  • Community support is available at https://forum.securedrop.org
  • If you are already a member of our support portal, please don’t hesitate to open a ticket there. If you would like to request access, please contact us at securedrop@freedom.press (GPG encrypted). Note that your ticket will be visible to all support portal users at your organization; if this is a concern, reach out by email to the above address or to a staff member directly.
  • The Freedom of the Press Foundation offers training and priority support services. See https://securedrop.org/priority-support/ for more information.