Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use the new Tails Persistent Storage copy option where applicable #492

Merged
merged 7 commits into from
Nov 19, 2024
Merged

Use the new Tails Persistent Storage copy option where applicable #492

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
711838d
eliminate a round trip between existing and new Admin Workstations du…
cfm Aug 17, 2023
972069b
Modify admin onboarding workflow based on new Tails Persistent Storag…
nathandyer Aug 24, 2023
4ae52eb
Document process for making remote SVS using the Tails Persistent Sto…
nathandyer Aug 24, 2023
f7b6b1b
Replace references to the Tails Installer with Tails Cloner
nathandyer Sep 6, 2023
c18076b
Merge branch 'main' into tails-copy-pv
nathandyer Oct 7, 2024
18edb46
Document clearing KeePassXC recycle bin
nathandyer Oct 7, 2024
86f5d8e
Add steps for mounting AW1 to fix AW2 SSH operations
nathandyer Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 28 additions & 45 deletions docs/admin/deployment/onboarding_admins.rst
View file
Open in desktop
nathandyer marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -31,60 +31,43 @@ To set up AW2, follow these steps:
and `set an admin password on the welcome screen <https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/>`__
2. Ensure that Tails and the SecureDrop version on AW1 are up-to-date.
If not, update now by following the :ref:`most recent upgrade guide <latest_upgrade_guide>`.
3. Insert the empty AW2 USB drive.
4. Launch the Tails installer (**Applications ▸ Tails ▸ Tails Installer**) and install Tails on AW2.
This will delete all data on the AW2 USB drive.
5. Shut down AW1.
6. Boot AW2.
7. Configure its persistent volume (**Applications ▸ Tails ▸ Configure persistent volume**).
Set a unique passphrase for AW2 and record it securely. Enable all persistence options.
8. Reboot AW2, unlock its persistent volume, and set an admin password on the welcome screen.
9. Open the file manager (**Applications ▸ Accessories ▸ Files**).
10. Insert AW1. It should show up in the list of storage devices in the file manager under
a label like "7.0 GB Encrypted". Click the label and enter the drive
password when prompted to unlock it.
11. In a terminal, type the following command:

``rsync -a /media/amnesia/TailsData/Persistent/securedrop ~/Persistent``
3. Log into the *Journalist Interface* using your admin credentials, and create
a new user account with admin rights. Record its passphrase securely;
you will add it to the password manager on AW2.

This will copy *only* the ``securedrop`` directory from AW1 to AW2.
(You will need to on-board the new admin's 2FA device to complete this step.
If this is not possible yet, you can defer it until later.)
4. Insert the empty AW2 USB drive.
5. Launch the Tails Cloner (**Applications ▸ Tails ▸ Tails Cloner**).
Select the option to **Clone the current Tails.** This will delete all data on the AW2 USB drive.
6. Check the box marked **Clone the current Persistent Storage.**
7. Click **Install**.
8. Choose a unique passphrase for AW2 and record it securely.
nathandyer marked this conversation as resolved.
Show resolved Hide resolved
9. Shut down AW1.
10. Boot AW2 and unlock the Persistent Storage.
11. Open the KeePassXC database, remove any unneeded credentials from AW1, and store
nathandyer marked this conversation as resolved.
Show resolved Hide resolved
the new account credentials you created in step 3.
12. Generate a new keypair on AW2 using the following command:
nathandyer marked this conversation as resolved.
Show resolved Hide resolved

``ssh-keygen -t rsa -b 4096``

When prompted, store the keypair in the default location.
13. Shut down AW2.
14. Boot AW1, unlock its persistent volume, and set an admin password on
the welcome screen.
15. Open the file manager (**Applications ▸ Accessories ▸ Files**).
16. Insert AW2 and unlock it.
17. In a terminal, type the following commands to authorize the newly created SSH keypair
on your servers:

``ssh-copy-id -i /media/amnesia/TailsData/openssh-client/id_rsa.pub app``
``ssh-copy-id -i /media/amnesia/TailsData/openssh-client/id_rsa.pub mon``
18. Log into the *Journalist Interface* using your admin credentials, and create
a new user account with admin rights. Record its passphrase securely;
you will add it to the password manager on AW2.

(You will need to on-board the new admin's 2FA device to complete this step.
If this is not possible yet, you can defer it until later.)
19. Shut down AW1.
20. Boot AW2, unlock its persistent volume, and set an admin password
on the welcome screen.
21. Boot into AW2 and run the command ``./securedrop-admin tailsconfig`` in
``~/Persistent/securedrop``.
12. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``.

This will set up desktop shortcuts and SSH access.
22. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``).
23. Confirm that you are able to access the *Source Interface* and the *Journalist
13. In a terminal, type the following commands to authorize the newly created SSH keypair
on your servers:

* ``ssh-add``
* ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa``
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we've booted AW2 in new step (10), then /media/amnesia/TailsData is AW1's persistent storage. Don't we still need old step (12) to mount AW1 and old step (17) to unmount it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cfm I don't believe so; /media/amnesia/tailsData should be AW2's persistent storage, not AW1s. Unlike the original instructions, we're never actually copying directly from AW1 to AW2 (I mean that in the spiritual sense, rather than literal - the contents of that persistent volume are being copied, it's just a more transparent operation during the drive creation process). With the Tails Cloner, AW1's persistent storage gets duplicated as AW2's during the cloning (because of the option checked in new step 6). So when you shut down AW1, boot into AW2, and then unlock the storage, at that point AW1 is completely out of the picture.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting for the sake of posterity here within the ticket: I just had a great conversation with @cfm, who explained that the issue here is that step 12 (as it stands) overwrites the existing SSH key, so that step 14 is no longer possible due to the original SSH key (needed for adding the new SSH key to the servers) is not available.

The fix to this is to add a few additional steps to insert AW1, unlock persistent storage, perform step 14, then remove AW1 again.

Commit incoming.

* ``ssh-copy-id app``
* ``ssh-copy-id mon``
* ``ssh-add -D``
14. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``).
15. Confirm that you are able to access the *Source Interface* and the *Journalist
Interface* using the desktop shortcuts.
24. :ref:`Initialize a passphrase database <keepassxc_setup>` on AW2.
Store the admin account details using KeePassXC, and other account
information this admin will need in the course of administering this
system.
25. Shut down AW2.
26. :doc:`Back up AW2 <../maintenance/backup_workstations>`.
16. Shut down AW2.
17. :doc:`Back up AW2 <../maintenance/backup_workstations>`.

You can now provide AW2 to the new administrator. Ensure that they store the
disk encryption passphrase in a secure manner: in most configurations, it is the
Expand Down
54 changes: 18 additions & 36 deletions docs/admin/deployment/remote.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,6 @@ In order to create a new SVS for remote use, you will need the following:
and microphones. A computer used as an SVS should never be used
for any other purpose.

* An up-to-date Tails USB (the primary Tails USB). You do not need to set up
persistent storage on this device, as it will not be used during the SVS
setup process.
* The current SVS USB, and its persistent volume’s passphrase
* A USB key to act as the new SVS USB

Expand All @@ -107,38 +104,23 @@ Creating New SVS USB Drives

To create the new SVS USB:

1. Boot into Tails using the primary Tails USB on the air-gapped workstation.
When you see the welcome dialog, you can proceed without enabling persistence
or setting an admin password.
2. Install Tails on the new SVS USB, following the instructions
`here. <https://tails.boum.org/install/clone/pc/index.en.html>`_
3. Boot into the new SVS USB and enable persistence with a strong passphrase
(a 6-word Diceware passphrase is recommended). In the Persistent volume
configuration wizard, be sure to enable persistence for “GnuPG - GnuPG
Keyrings and configuration”.
4. Temporarily store the persistent volume passphrase in your password manager.
You should delete it once you have given the USB and passphrase to the
journalist who will be using them.
5. Reboot the new SVS USB with persistence enabled and an administration
password set.
6. Plug the current SVS USB into a free port on the workstation.
7. Mount its persistent volume by browsing to Places > Computer, clicking
the USB disk in the left-hand column, and entering its persistent volume’s
passphrase.
8. Open a terminal via Applications > Favorites > Terminal
9. Copy the current SVS’s GPG keychain (which includes the *Submission Key*) to
the new SVS USB using the following command (without linebreaks):

.. code:: sh

sudo bash -c "rsync -a --no-specials --no-devices \
/media/amnesia/TailsData/gnupg/ \
/live/persistence/TailsData_unlocked/gnupg/"


10. Eject and remove the current SVS USB.
11. Verify that the *Submission Key* is present with the correct fingerprint on
the new SVS USB via Applications > Utilities > Passwords and Keys.
1. Boot into the current SVS using the air-gapped workstation.
When you see the welcome dialog, unlock the persistent storage
volume.
2. Insert the new (empty) SVS USB.
3. Launch the Tails Cloner (**Applications ▸ Tails ▸ Tails Cloner**).
Select the option to **Clone the current Tails**.
This will delete any data on the new SVS drive.
4. Check the box marked **Clone the current Persistent Storage**.
5. Click **Install**.
6. Choose a strong new passphrase for the new Persistent Storage Volume
(a 6-word Diceware passphrase is recommended) and record it securely.
nathandyer marked this conversation as resolved.
Show resolved Hide resolved
7. After the process is complete, power off the SVS.
8. Boot to the new SVS USB, unlock the Persistent Storage, and
enable all the options in the Persistent Storage settings.
9. Verify that the *Submission Key* is present with the correct fingerprint on
the new SVS USB via Applications > Utilities > Passwords and Keys.


The new SVS should now be ready for use. The journalist that will be checking
submissions will need the new SVS USB, its Persistent Volume passphrase, and
Expand Down Expand Up @@ -224,4 +206,4 @@ your SecureDrop instance, we recommend the following steps:
In most cases, restoring the instance, whether in their original hosting
location or elsewhere, is a matter of reconnecting the servers to the
firewall, attaching a WAN connection that allows unfiltered access to Tor to
the firewall WAN port, and powering everything on.
the firewall WAN port, and powering everything on.