Upgrade from 2.5.2 to 2.6.0
Update Servers to SecureDrop 2.6.0
Servers running Ubuntu 20.04 will be updated to the latest version of SecureDrop automatically within 24 hours of the release.
Update Workstations to SecureDrop 2.6.0
Updating Tails and replacing short passphrases
Before upgrading your Workstations to SecureDrop 2.6.0, we strongly recommend that you first upgrade to Tails 5.14, which includes important updates to disk encryption and passphrase hashing algorithms.
We also recommend updating all other encrypted drives to LUKS2, and ensuring you have strong passphrases.
We have issued a Security Advisory, which provides detailed instructions for updating the Workstations, as well as any other encrypted drives. You can find that advisory on the SecureDrop website.
Using the graphical updater
If you encounter errors with the graphical updater, perform a manual update. This will ensure that you have imported the new SecureDrop release signing key.
On the next boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. You must have configured an administrator password on the Tails welcome screen in order to use the graphical updater.
Perform the update to 2.6.0 by clicking “Update Now”:
Performing a manual update
If the graphical updater fails and you want to perform a manual update instead,
first delete the graphical updater’s temporary flag file, if it exists (the
securedrop is not a typo):
This will prevent the graphical updater from attempting to re-apply the failed update and has no bearing on future updates. You can now perform a manual update by running the following commands:
cd ~/Persistent/securedrop git fetch --tags gpg --keyserver hkps://keys.openpgp.org --recv-key \ "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3" git tag -v 2.6.0
The output should include the following two lines:
gpg: using RSA key 2359E6538C0613E652955E6C188EDD3B7B22E6A3 gpg: Good signature from "SecureDrop Release Signing Key <firstname.lastname@example.org>" [unknown]
Please verify that each character of the fingerprint above matches what is on the screen of your workstation. A warning that the key is not certified is normal and expected. If the output includes the lines above, you can check out the new release:
git checkout 2.6.0
Finally, run the following commands:
./securedrop-admin setup ./securedrop-admin tailsconfig
Follow the graphical prompts to update to the latest version of the Tails operating system on your Admin and Journalist Workstations.
If you have not already done so, you must manually upgrade from the Tails 4 release series to the Tails 5 series.
Upgrade from Tails 4 to Tails 5
You must upgrade your workstations to the latest version of SecureDrop by following
the steps above before upgrading to the Tails 5 series. You can verify the version
of SecureDrop by running
git status in your
The output should include “HEAD detached at 2.6.0”.
The Tails 5 series is based on Debian 11 (“Bullseye”). Among the most noticeable
changes is the switch to a new frontend for GnuPG called Kleopatra. Once you
upgrade your Secure Viewing Station, you will need to use Kleopatra to open
.gpg files. Please see our Journalist Guide
for more information.
You must perform the upgrade to Tails 5 manually. You need a blank USB drive that you can install the latest release in the Tails 5 series on from scratch. You will use this drive to upgrade your Journalist Workstation(s), your Admin Workstation(s), and your Secure Viewing Station(s).
The persistent storage volumes of your USB drives will be migrated as part of this upgrade, but we still highly recommend backing them up first. Follow the steps for updating Tails manually.
Fore each Journalist and Admin Workstation, perform the following additional steps to complete the upgrade:
Boot the USB drive
On the Tails welcome screen, unlock the persistent volume and configure an administrator password
Open a terminal (Applications ▸ Utilities ▸ Terminal)
Run the following commands:
cd ~/Persistent/securedrop/admin rm -rf .venv3 cd .. ./securedrop-admin setup
When prompted by Tails to “Install Only Once” or “Install Every Time”, click Install Every Time (this is a change from previous versions of Tails).
Back Up the Tails Workstations
USB flash drives degrade over time and vary in quality. To ensure continued access to SecureDrop by administrators and journalists, we recommend backing up the Tails Workstations on the occasion of a new SecureDrop release, after you have completed the upgrade process for each drive.
You can use a single storage device for backups of multiple workstations. See our Workstation Backup Guide for more information.
Apply Any Available Firewall Updates
As part of SecureDrop maintenance, we recommend checking for software updates for the hardware firewall, which may need to be applied manually. If you are using one of the recommended firewalls, see Keeping pfSense up to Date or see Keeping OPNSense up to Date.
Should you require further support with your SecureDrop installation, we are happy to help!
Community support is available at https://forum.securedrop.org
If you are already a member of our support portal, please don’t hesitate to open a ticket there. If you would like to request access, please contact us at email@example.com (GPG encrypted). Note that your ticket will be visible to all support portal users at your organization; if this is a concern, reach out by email to the above address or to a staff member directly.
The Freedom of the Press Foundation offers training and priority support services. See https://securedrop.org/priority-support/ for more information.