Set up the Servers

Now that the firewall is set up, you can plug the Application Server and the Monitor Server into the firewall. If you are using a setup where there is a switch on the LAN port, plug the Application Server into the switch and plug the Monitor Server into the OPT1 port.

Install Ubuntu

Note

Installing Ubuntu is simple and may even be something you are very familiar with, but we strongly encourage you to read and follow this documentation exactly as there are some “gotchas” that may cause your SecureDrop set up to break.

The SecureDrop Application Server and Monitor Server run Ubuntu Server 14.04.5 LTS (Trusty Tahr). To install Ubuntu on the servers, you must first download and verify the Ubuntu installation media. You should use the Admin Workstation to download and verify the Ubuntu installation media.

Download the Ubuntu installation media

The installation media and the files required to verify it are available on the Ubuntu Releases page. You will need to download the following files:

If you’re reading this documentation in the Tor Browser on the Admin Workstation, you can just click the links above and follow the prompts to save them to your Admin Workstation. We recommend saving them to the /home/amnesia/Persistent/Tor Browser directory on the Admin Workstation, because it can be useful to have a copy of the installation media readily available.

Alternatively, you can use the command line:

cd ~/Persistent
torify curl -OOO http://releases.ubuntu.com/14.04.5/{ubuntu-14.04.5-server-amd64.iso,SHA256SUMS{,.gpg}}

Note

Downloading Ubuntu on the Admin Workstation can take a while because Tails does everything over Tor, and Tor is typically slow relative to the speed of your upstream Internet conenction.

Verify the Ubuntu installation media

You should verify the Ubuntu image you downloaded hasn’t been modified by a malicious attacker or otherwise corrupted. We can do so by checking its integrity with cryptographic signatures and hashes.

First, we will download Ubuntu Image Signing Key and verify its fingerprint.

gpg --recv-key "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"

Note

It is important you type this out correctly. If you are not copy-pasting this command, we recommend you double-check you have entered it correctly before pressing enter.

Again, when passing the full public key fingerprint to the --recv-key command, GPG will implicitly verify that the fingerprint of the key received matches the argument passed.

Caution

If GPG warns you that the fingerprint of the key received does not match the one requested do not proceed with the installation. If this happens, please email us at securedrop@freedom.press.

Verify the SHA256SUMS file and move on to the next step if you see “Good Signature” in the output.

gpg --verify SHA256SUMS.gpg SHA256SUMS

The next and final step is to verify the Ubuntu image.

sha256sum -c <(grep ubuntu-14.04.5-server-amd64.iso SHA256SUMS)

If the final verification step is successful, you should see the following output in your terminal.

ubuntu-14.04.5-server-amd64.iso: OK

Caution

If you do not see the line above it is not safe to proceed with the installation. If this happens, please contact us at securedrop@freedom.press.

Create the Ubuntu installation media

To create the Ubuntu installation media, you can either burn the ISO image to a CD-R or create a bootable USB stick. As a reliable method we recommend using the dd command to copy the hybrid ISO directly to a USB drive rather than a utility like UNetbootin which can result in errors. Once you have a CD or USB with an ISO image of Ubuntu on it, you may begin the Ubuntu installation on both SecureDrop servers.

To use dd you first need to find where the USB device you wish to install Tails on has been mapped. Simply running the command lsblk in the terminal will give you a list of your block storage device mappings (this includes hard drives and USB). If the USB you are writing the Ubuntu installer to is of a different size or brand than the USB you are running Tails from, it should be easy to identify which USB has which sdX identifier. If you are unsure, try running lsblk before and after plugging in the USB you are using for the Ubuntu installer.

If your USB is mapped to /dev/sdX and you are currently in the directory that contains the Ubuntu ISO, you would use dd like so:

sudo dd conv=fdatasync if=ubuntu-14.04.5-server-amd64.iso of=/dev/sdX

Perform the Installation

The steps below are the same for both the Application Server and the Monitor Server.

Start by inserting the Ubuntu installation media into the server. Boot or reboot the server with the installation media inserted, and enter the boot menu. To enter the boot menu, you need to press a key as soon as you turn the server on. This key varies depending on server model, but common choices are Esc, F2, F10, and F12. Often, the server will briefly display a message on boot that shows which key should be pressed to enter the boot menu. Once you’ve entered the boot menu, select the installation media (USB or CD) and press Enter to boot it.

After booting the Ubuntu image, select Install Ubuntu Server.

Ubuntu Server

Follow the steps to select your language, country and keyboard settings. Once that’s done, let the installation process continue.

Configure the network manually

The Ubuntu installer will try to autoconfigure networking for the server you are setting up; however, SecureDrop requires manual network configuration. You can hit Cancel at any point during network autoconfiguration to be given the choice to Configure the network manually.

If network autoconfiguration completes before you can do this, the next window will ask for your hostname. To get back to the choice of configuring the network manually, Cancel the step that asks you to set a hostname and choose the menu option that says Configure the network manually instead.

For a production install with a pfSense network firewall in place, the Application Server and the Monitor Server are on separate networks. You may choose your own network settings at this point, but make sure the settings you choose are unique on the firewall’s network and remember to propagate your choices through the rest of the installation process.

Below are the configurations you should enter, assuming you used the network settings from the network firewall guide for the recommended 4 NIC firewall. If you did not, adjust these settings accordingly.

  • Application Server:
  • Server IP address: 10.20.2.2
  • Netmask (default is fine): 255.255.255.0
  • Gateway: 10.20.2.1
  • For DNS, use Google’s name servers: 8.8.8.8 and 8.8.4.4
  • Hostname: app
  • Domain name should be left blank
  • Monitor Server:
  • Server IP address: 10.20.3.2
  • Netmask (default is fine): 255.255.255.0
  • Gateway: 10.20.3.1
  • For DNS, use Google’s name servers: 8.8.8.8 and 8.8.4.4
  • Hostname: mon
  • Domain name should be left blank

Continue the installation

You can choose whatever username and password you would like. To make things easier later you should use the same username and same password on both servers (but not the same password as username). Make sure to save this password in your admin KeePassX database afterwards.

Click ‘no’ when asked to encrypt the home directory. Then configure your time zone.

Partition the disks

Before setting up the server’s disk partitions and filesystems in the next step, you will need to decide if you would like to enable *Full Disk Encryption (FDE)*. If the servers are ever powered down, FDE will ensure all of the information on them stays private in case they are seized or stolen.

Warning

The Ansible playbooks for SecureDrop will enable nightly reboots after the cron-apt task runs for automatic updates. Using FDE would therefore require manual intervention every morning. Consequently we strongly discourage the use of FDE.

While FDE can be useful in some cases, we currently do not recommend that you enable it because there are not many scenarios where it will be a net security benefit for SecureDrop operators. Doing so will introduce the need for more passwords and add even more responsibility on the administrator of the system (see this GitHub issue for more information).

If you wish to proceed without FDE as recommended, choose the installation option that says Guided - use entire disk and set up LVM.

However, if you decide to go ahead and enable FDE, please note that doing so means SecureDrop will become unreachable after an automatic reboot. An administrator will need to be on hand to enter the password in order to decrypt the disks and complete the startup process, which will occur anytime there is an automatic software update, and also several times during SecureDrop’s installation. We recommend that the servers be integrated with a monitoring solution that so that you receive an alert when the system becomes unavailable.

To enable FDE, select Guided - use entire disk and set up encrypted LVM during the disk partitioning step and write the changes to disk. Follow the recommendations as to choosing a strong password. As the administrator, you will be responsible for keeping this passphrase safe. Write it down somewhere and memorize it if you can. If inadvertently lost it could result in total loss of the SecureDrop system.

After selecting either of those options you may be asked a few questions about overwriting anything currently on the server you are using. Select yes. You do not need an HTTP proxy, so when asked, you can just click continue.

Finish the installation

Wait for the base system to finish installing. When you get to the Configure tasksel screen, choose No automatic updates. The subsequent SecureDrop installation will include a task that handles regular software updates.

Note

The Ansible playbooks for SecureDrop will configure automatic updates via cron-apt. As part of the automatic update process, the servers will reboot nightly. See the OSSEC guide for example notifications generated by the reboots.

When you get to the software selection screen, only choose OpenSSH server by hitting the space bar.

Caution

Hitting enter before the space bar will force you to start the installation process over.

Once OpenSSH Server is selected, hit Continue.

You will then have to wait for the packages to finish installing.

When the packages are finished installing, Ubuntu will automatically install the bootloader (GRUB). If it asks to install the bootloader to the Master Boot Record, choose Yes. When everything is done, reboot.

Save the Configurations

When you are done, make sure you save the following information:

  • The IP address of the Application Server
  • The IP address of the Monitor Server
  • The non-root user’s name and password for the servers.

Test Connectivity

Now that both the network firewall and the servers are connected and configured, you should make sure you can connect from the Admin Workstation to both of the servers before continuing with the installation.

In a terminal, verify that you can SSH into both servers, authenticating with your password:

$ ssh <username>@<App IP address> hostname
app
$ ssh <username>@<Monitor IP address> hostname
mon

Tip

If you cannot connect, check the network firewall logs for clues.

Set up SSH keys

Ubuntu’s default SSH configuration authenticates users with their passwords; however, public key authentication is more secure, and once it’s set up it is also easier to use. In this section, we will create a new SSH key for authenticating to both servers. Since the Admin Live USB was set up with SSH Client Persistence, this key will be saved on the Admin Live USB and can be used in the future to authenticate to the servers in order to perform administrative tasks.

First, generate the new SSH keypair:

ssh-keygen -t rsa -b 4096

You’ll be asked to “Enter file in which to save the key” Type Enter to use the default location.

Given that this key is on the encrypted persistence of a Tails USB, you do not need to add an additional passphrase to protect the key. If you do elect to use a passphrase, note that you will need to manually type it (Tails’ pinentry will not allow you to copy and paste a passphrase).

Once the key has finished generating, you need to copy the public key to both servers. Use ssh-copy-id to copy the public key to each server, authenticating with your password:

ssh-copy-id <username>@<App IP address>
ssh-copy-id <username>@<Mon IP address>

Verify that you are able to authenticate to both servers by running the below commands. You should not be prompted for a passphrase (unless you chose to passphrase-protect the key you just created).

$ ssh <username>@<App IP address> hostname
app
$ ssh <username>@<Monitor IP address> hostname
mon

Minor Admin Tasks

DNS

The network firewall rules are set up to disable DNS traffic to the gateway, so if your system has not set nameservers, DNS queries will fail. You can test this by running host freedom.press. If the host isn’t found, or there is some other sort of failure, check the pfSense logs. You may see UDP traffic to the gateway on port 53 being blocked.

If this is the case, you need add the following lines to /etc/resolvconf/resolv.conf.d/tail

nameserver 8.8.8.8
nameserver 8.8.4.4

Then run sudo dpkg-reconfigure resolvconf. This will update /etc/resolv.conf to include the new name servers. Verify that host freedom.press succeeds.

System Date

The ansible playbooks you will run later depend on the system clock being set accurately, so run sudo ntpdate on both servers.