Upgrading to Fedora 34


SecureDrop Workstation is in a limited beta phase, and is not recommended for general use at this time. See our blog post for more information.

Why do I need to upgrade?

SecureDrop Workstation makes use of several Fedora-based VMs which are part of a Qubes installation by default, including sys-firewall, sys-net, sys- usb, work, and vault . In Qubes 4.0.4, these VMs are based on a Fedora 32 template, which reached end-of-life on May 25, 2021.

If you are provisioning SecureDrop Workstation for the first time, you will need to update your Fedora template manually to Fedora 34 before installing SecureDrop Workstation.

If you are an existing SecureDrop Workstation user, SecureDrop Workstation will install the template automatically when updates are applied, but you should also manually configure VMs not managed by SecureDrop Workstation to use the Fedora 34 template.

Install Fedora-34 template

In a dom0 terminal (Qubes Application Menu > Terminal Emulator), type the following to download the Fedora 34 template:

sudo qubes-dom0-update qubes-template-fedora-34

You will see some information from the package manager, including a progress bar.

When the download has concluded, you will be prompted to install the package. Type y to proceed with the installation.

Update the Fedora-34 template

Once the template installation is complete, update the template using the Qubes Updater. Click Q > System Tools > Qubes Update in the application menu. Click the checkbox “Enable updates for qubes without known updates” option, and click the checkbox next to fedora-34. Click Next and wait for any available updates to be downloaded and applied.

Configure VMs to use the new template

To apply the template to VMs that currently use an older version, open the Qube Manager via Q > System Tools > Qube Manager. All VMs will be visible at a glance; to change a VM’s settings, right-click it and select Qube Settings.

In the Qube Settings window, select fedora-34 from the drop-down menu beside Template, then click OK.


You should perform this process for:

  • work

  • vault

  • sys-net

  • sys-usb

  • sys-firewall

  • default-mgmt-dvm.

Existing SecureDrop Workstation users may perform this process for work and vault only, as the other VMs will be updated by SecureDrop Workstation.

Reboot the system to ensure the changes take effect. Alternatively, you can restart only the VMs you have updated. If you get a sys-whonix prompt asking how you want to connect to the Tor network, select the “Connect” option, which allows a direct connection to the Tor network.


You can also use the Qubes Template Manager (also in Q > System Tools) to make template changes. However, note that it will not allow you to make template changes for VMs that are currently running, so you may have to manually shut down VMs in the correct order to do so.

Getting Support

If you are part of the SecureDrop Workstation Pilot and you have questions about this process or about any other aspect of SecureDrop Workstation, please reach out to us.