Upgrade from 0.3.x to 0.4.x¶
Beginning with SecureDrop 0.4, the use of Tails 3 is required. SecureDrop 0.4 included substantial changes to the Admin tooling used for managing the configuration for the Application and Monitor Servers, and modifies the location of the configuration on Admin Workstation to prevent conflicts in the future.
All Admin and Journalist Workstations must be upgraded to Tails 3 for use with SecureDrop 0.4.x. Follow the Upgrade Tails from 2.x to 3.x guide for detailed instructions on upgrading if you have not already done so.
The steps below should be performed on both the Admin and all Journalist Workstations associated with your SecureDrop instance. You do not need to run these steps on the Secure Viewing Station.
Pull the Latest Release¶
Open a Terminal and navigate to your SecureDrop directory.
Stash your local configuration, fetch the latest code, and verify the tag for the latest release (0.4.1):
git stash save "site specific configs" git fetch git tag -v 0.4.1
The output of the above commands should include
Good signature from
"SecureDrop Release Signing Key". If it does
not, please contact us immediately at email@example.com.
You may also see output from GPG warning you that the key is not certified
with a trusted signature. This means that there is not a trust path to the
release signing key. As long as you see the fingerprint
2224 5C81 E3BA EB41
38B3 6061 310F 5612 00F4 AD77 displayed and the signature verifies as
described above then you can proceed safely.
Once you’ve verified the latest release, check it out, then pop your local configuration back into place:
git checkout 0.4.1 git stash pop
Upgrade the Tails Persistence Configuration¶
SecureDrop 0.4.x provides more convenient tooling for configuring the ATHS info required to access the Journalist Interface. Run the following commands to install the required packages and set up the access to your SecureDrop instance.
./securedrop-admin setup ./securedrop-admin tailsconfig
Clean Up Old Version-Controlled Site Config¶
tailsconfig task copied the site-specific configuration for your
SecureDrop instance to a new location:
Beginning with 0.4, manual edits to the inventory are no longer required, as the ATHS
information is read automatically from the
mon-ssh-aths files. Therefore you should permanently store any
git stash save "old site-specific configs"
During subsequent upgrades to the SecureDrop Admin configuration, you will no
longer need to perform
git stash and
git pop as described above.
Verify the Upgrades¶
Verify the Journalist Workstation and SVS USB Drives Are Successfully Updated¶
After you upgrade your Journalist Workstation and Secure Viewing Station, do the following to make sure they were upgraded successfully.
- Submit a test document to the source interface.
- Log in to the journalist interface.
- Download the test document.
- Transfer the test document over to the SVS.
- Decrypt the test document.
- Delete the submission.
If you are able to successfully download and decrypt your test submission, then your upgrade was successful!
Verify the Admin Workstation USB Drive Was Successfully Updated¶
After you upgrade your Admin Workstation, ensure that you are able to SSH into both servers. Remember you can use the following shortcuts:
ssh mon ssh app