Upgrading to Fedora 38
Warning
SecureDrop Workstation is currently in a closed beta, and we do not recommend installing it for production purposes independently. See our blog post for more information.
Why do I need to upgrade?
SecureDrop Workstation makes use of several Fedora-based VMs which are part of
a Qubes installation by default, including sys-firewall
, sys-net
, sys-
usb
, work
, and vault
. In Qubes 4.1.2, these VMs are based on a
Fedora 37 template, which reached end-of-life on December 5, 2023.
If you are provisioning SecureDrop Workstation for the first time, you will need to update your Fedora template manually to Fedora 38 before installing SecureDrop Workstation.
If you are an existing SecureDrop Workstation user, SecureDrop Workstation will install the template automatically when updates are applied, but you should also manually configure VMs not managed by SecureDrop Workstation to use the Fedora 38 template.
Install Fedora-38 template
In a dom0
terminal (Qubes Application Menu > Terminal Emulator), type
the following to download the Fedora 38 template:
sudo qvm-template install fedora-38
You will see some information from the template manager, including a progress bar.
When the download has concluded, you will be prompted to install the package.
Type y
to proceed with the installation.
Update the Fedora-38 template
Once the template installation is complete, update the template using the Qubes
Updater. Click Q > Qubes Tools > Qubes Update in the application menu.
Click the checkbox “Enable updates for qubes without known updates” option,
and click the checkbox next to fedora-38
. Click Next and wait for
any available updates to be downloaded and applied.
Configure VMs to use the new template
To apply the template to VMs that currently use an older version, open the Qube Manager via Q > Qubes Tools > Qube Manager. All VMs will be visible at a glance; to change a VM’s settings, right-click it and select Qube Settings.
In the Qube Settings window, select fedora-38
from the drop-down menu
beside Template, then click OK.
You should perform this process for:
work
vault
sys-net
default-mgmt-dvm
.
Create a new disposable VM template based on Fedora 38 by running
the following commands in dom0
:
qvm-create -l red -t fedora-38 fedora-38-dvm
qvm-prefs fedora-38-dvm template_for_dispvms True
qvm-features fedora-38-dvm appmenus-dispvm 1
qubes-prefs default-dispvm fedora-38-dvm
Now, switch the templates for sys-usb
and sys-firewall
to
fedora-38-dvm
using the same process that you used above.
Reboot the system to ensure the changes take effect. Alternatively, you can
restart only the VMs you have updated. If you get a sys-whonix
prompt asking how you want to connect to the Tor network, select the “Connect” option, which allows a direct connection to the Tor network.
Tip
You can also use the Qubes Template Manager (also in Q > Qubes Tools) to make template changes. However, note that it will not allow you to make template changes for VMs that are currently running, so you may have to manually shut down VMs in the correct order to do so.
Getting Support
If you are part of the SecureDrop Workstation Pilot and you have questions about this process or about any other aspect of SecureDrop Workstation, please reach out to us.