SecureDrop Workstation Installation Overview

Overview

SecureDrop Workstation must be installed on a system running Qubes OS. The installation and configuration process should take between 4 and 6 hours, including time spent waiting for downloads and updates. At a high level, the tasks to be performed are as follows:

Pre-install tasks:

  1. Rotate legacy passphrases (for pre-2018 installations)

  2. Apply BIOS updates and check settings

  3. Download and verify Qubes OS

  4. Install Qubes OS

  5. (Hardware-dependent) Apply USB fixes

  6. Apply updates to system templates

  7. Install and update Fedora 40 base template

Install tasks:

  1. Copy the submission key

  2. Copy Journalist Interface details

  3. Copy SecureDrop login credentials

  4. Download and install SecureDrop Workstation

  5. Configure SecureDrop Workstation

  6. Test the Workstation

Prerequisites

In order to install SecureDrop Workstation and configure it to use an existing SecureDrop instance, you will need the following:

  • A Qubes-compatible computer with at least 16GB of RAM (32 GB is recommended). SecureDrop Workstation has mainly been tested against Lenovo T480, T490 and T14 - see Qubes’ Hardware Compatibility List and the SecureDrop Workstation Recommended hardware page for more options .

  • Qubes installation medium - this guide assumes the use of a USB 3.0 stick. Qubes may also be installed via optical media, which may make more sense depending on your security concerns.

    Note

    A USB stick with a Type-A connector is recommended, as USB-C ports may be disabled on your computer when the BIOS settings detailed below are applied.

  • The SecureDrop instance’s Admin Workstation and Secure Viewing Station (SVS) USBs, and the full GPG fingerprint of the submission key.

  • (Optional, for a single-user workstation) The Journalist Workstation USB for the intended user of this workstation, if you want to import their SecureDrop login credentials into the workstation’s password manager.

  • The passphrases required to unlock the persistent volumes on each of these USB drives.

  • A working computer (Linux is recommended and assumed in this guide) to use for verification and creation of the Qubes installation medium.

    Note

    A Tails USB can be used to perform the tasks below, but due to the size of the Qubes installation ISO, it may make sense to download it on another computer rather than via Tor, and then to use a USB stick to transfer it to Tails for verification and creation of the installation medium.

  • A password manager or other system to generate and store strong passphrases for Qubes full disk encryption (FDE) and user accounts.

A basic knowledge of the Qubes OS is helpful.