Backup and Restore
Warning
SecureDrop Workstation is in a limited beta phase, and is not recommended for general use at this time. See our blog post for more information.
Qubes OS has a backup utility that allows for backup and restoration of user-specified VMs.
To perform backups, you will need:
a LUKS-encrypted external hard drive, with at least 50GB space
a secure place to store backup credentials (such as a password manager on your primary laptop)
Backup
Preserve files from dom0
Preserve key configuration files by coping them into the
vault VM.
In a dom0 Terminal via Q ▸ Terminal Emulator:
cd /usr/share/securedrop-workstation-dom0-config qvm-copy-to-vm vault {config.json,sd-journalist.sec}
Open a vault Terminal and verify that the files were copied successfully:
head -n1 ~/QubesIncoming/dom0/sd-journalist.sec # line contains "BEGIN PRIVATE KEY BLOCK" grep -q hostname ~/QubesIncoming/dom0/config.json && echo OK # line is "OK"
Note
If you have made advanced customizations to your Qubes Workstation,
you may need to back up additional components of dom0. Refer to
the Qubes documentation
or contact Support.
Back up SecureDrop Workstation
Ensure your storage medium is plugged in, attached to sd-devices,
and unlocked.
Navigate to Q ▸ Qubes Tools ▸ Backup Qubes, and move all VMs from
“Selected” to “Available” by pressing the << button.
To target a VM for backup, highlight it and move it into the “Selected”
column by pressing the > button. Select:
the
vaultVMany customized VMs that you may wish to preserve.
You do not need to back up the sd- VMs.
Click “Next”, and in “Backup destination,” specify the VM and directory corresponding to your storage medium’s current mount point.
Set a strong, unique backup passphrase (7-word diceware), and ensure this passphrase is stored securely outside SecureDrop Workstation.
Note
This passphrase protects sensitive components of your SecureDrop instance, including the Submission Private Key. Ensure that it is a very strong password and is stored securely.
Uncheck “save backup profile,” then proceed with the backup.
Qubes OS recommends verifying the integrity of the backup once the backup completes. This can be done by using the Restore Backup GUI tool and selecting “Verify backup integrity, but do not restore the data.” For details, see the Qubes OS backup documentation.
Restore
Reinstall Qubes OS
To restore SecureDrop Workstation, follow our pre-install tasks to provision a Qubes OS system complete with updated base templates.
Rename or delete redundant AppVMs
By default, Qubes OS will create the AppVMs personal, work, untrusted
and vault as part of the installation process. Rename or delete any
of these newly created AppVMs whose names conflict with the AppVMs you
intend to restore from a backup.
Example: If you restore only vault, rename or delete the existing
vault VM prior to restoring the backup. You can do so in
Q > Domain: vault > vault: Qube Settings (the VM must not be running).
Restore Backup
Plug in your backup medium and unlock it as during the backup. By default
on a new system, your peripheral devices will be managed by a VM called
sys-usb.
Navigate to Q ▸ Qubes Tools ▸ Restore Backup, and enter the
location of the backup file. You do not need to adjust the default Restore
options, unless you have made customizations to the backup. Enter the
decryption/verification passphrase, and proceed to restoring the available
qubes (which should include the vault VM).
Reinstall SecureDrop Workstation
If you do not already have a work VM, create it with default networking settings:
qvm-create -l blue work
Then, download and verify the SecureDrop Workstation
.rpm to the work VM and copy it to dom0.
Once you have a valid .rpm file in dom0, install the .rpm by running:
sudo dnf install securedrop-workstation.rpm
Retrieve the previous SecureDrop Workstation configuration from the vault
VM:
qvm-run --pass-io vault "cat QubesIncoming/dom0/sd-journalist.sec" > /tmp/sd-journalist.sec qvm-run --pass-io vault "cat QubesIncoming/dom0/config.json" > /tmp/config.json
Optionally, inspect each file before proceeding. The first
file should be an ASCII-armored GPG private key file. The second file should
follow the format of the example configuration file,
with values for its fields (e.g., hostname, submission_key_fpr) specific to
your configuration. The file may be formatted in a single line without whitespace.
Copy both files into place:
sudo cp /tmp/{sd-journalist.sec,config.json} /usr/share/securedrop-workstation-dom0-config/
Verify that the configuration is valid:
sdw-admin --validate
If the above command does not produce any errors, the configuration is valid,
and you may remove the configuration files from the vault VM:
qvm-run vault "rm QubesIncoming/dom0/{config.json,sd-journalist.sec}"
Finally, reinstall SecureDrop Workstation:
sdw-admin --apply