Generate the SecureDrop Submission Key¶
When a document or message is submitted to SecureDrop by a source, it is automatically encrypted with the SecureDrop Submission Key. The private part of this key is only stored on the Secure Viewing Station which is never connected to the Internet. SecureDrop submissions can only be decrypted and read on the Secure Viewing Station.
We will now prepare the Secure Viewing Station and generate the SecureDrop Submission Key.
Ensure Filenames are Preserved¶
In order to preserve filenames when you decrypt submissions, on each Secure Viewing Station, you should open a Terminal and type the following commands:
cd /live/persistence/TailsData_unlocked/dotfiles cp ~/.bashrc . echo "/usr/bin/dconf write /org/gnome/nautilus/preferences/automatic-decompression false" >> .bashrc
This only needs to be done once on each Secure Viewing Station. After a reboot it will persist.
Correct the system time¶
After booting up Tails on the Secure Viewing Station, you will need to manually set the system time before you create the SecureDrop Submission Key. Be sure to enable admin privileges before you do this. In Tails 3.x, you enable admin privileges by clicking the + button under Additional Settings, then navigating to Administration Password. Enter an administration password and then click Start Tails.
To set the system time:
- Click the upper right down arrow in the menu bar and select the wrench icon:
- Then click Date & Time.
- Click Unlock. Type in the administrator password you set when you started up Tails.
- Set the correct time, region and city.
- Click Lock, exit Settings and wait for the system time to update in the top panel.
Once that’s done, follow the steps below to create the key.
Create the key¶
Navigate to Applications ▸ Terminal to open a terminal .
In the terminal, run
When it says Please select what kind of key you want, choose “(1) RSA and RSA (default)”.
When it asks What keysize do you want?, type
When it asks Key is valid for?, press Enter. This means your key does not expire.
It will let you know that this means the key does not expire at all and ask for confirmation. Type y and hit Enter to confirm.
- Next it will prompt you for user ID setup. Use the following options:
- Real name: “SecureDrop”
- Email address: leave this field blank
[Your Organization's Name] SecureDrop Submission Key
GPG will confirm these options. Verify that everything is written correctly. Then type
(O)kayand hit enter to continue:
A box will pop up (twice) asking you to type a passphrase. Since the key is protected by the encryption on the Tails persistent volume, it is safe to simply click OK without entering a passphrase.
The software will ask you if you are sure. Click Yes, protection is not needed.
Wait for the key to finish generating.
Export the public key¶
To manage GPG keys using the graphical interface (a program called Seahorse), click the clipboard icon in the top right corner and select “Manage Keys”. Click “GnuPG keys” and you should see the key that you just generated.
- Select the key you just generated and click “File” then “Export”.
- Save the key to the Transfer Device as
SecureDrop.pub.asc, and make sure you change the file type from “PGP keys” to “Armored PGP keys” which can be switched at the bottom of the Save window. Click the ‘Export’ button after switching to armored keys.
This is the public key only.
You’ll need to provide the fingerprint of this new key during the installation. Double-click on the newly generated key and change to the Details tab. Write down the 40 hexadecimal digits under Fingerprint.
Your fingerprint will be different from the one in the example screenshot.
At this point, you are done with the Secure Viewing Station for now. You can shut down Tails, grab the admin Tails USB and move over to your regular workstation.