SecureDrop Workstation v: stable
Versions
stable
latest
Downloads
PDF
A project of Freedom of the Press Foundation · Privacy Policy
SecureDrop Workstation Logo

Overview

  • Introduction
  • SecureDrop Workstation Architecture
  • SecureDrop Workstation Project Status
  • Limitations and known issues
  • Supported Filetypes

Journalist Guide

  • Starting Qubes
  • Starting the SecureDrop Client
  • Communicating with sources
  • Working with submissions
  • Ending your session
  • FAQ

Admin Guide: Installation

  • SecureDrop Workstation Installation Overview
  • Pre-install Tasks
  • Installing SecureDrop Workstation
  • Troubleshooting Installation Errors

Admin Guide: Reference

  • Recommended hardware
    • Qubes OS hardware requirements
    • Lenovo X1 series laptops
      • Lenovo ThinkPad X1 Carbon (10th-generation)
    • Lenovo T series laptops
      • Lenovo ThinkPad T14 (2nd-generation)
        • Ethernet controller
      • Lenovo ThinkPad T490 (with 8th-generation Intel Core processor)
      • Lenovo ThinkPad T480
    • Upgrading the BIOS on Lenovo ThinkPad laptops
    • USB-C ports
  • Keeping the Workstation secure
  • Managing Clipboard Access
  • Reviewing and exporting logs
  • Troubleshooting connection problems
  • Troubleshooting system updates
  • Provisioning Export USB devices
  • Backup and Restore
SecureDrop Workstation
  • Recommended hardware
  • Edit on GitHub

Recommended hardware

Qubes OS hardware requirements

In order to install and use SecureDrop Workstation, you will need a Qubes-Compatible computer with the following specifications:

  • 64-bit Intel or AMD processor with virtualization support

  • a minimum of 32GB RAM

  • sufficient disk space for the Qubes OS base install and SecureDrop Workstation VMs (a 128GB or greater SSD is recommended)

We recommend against a device that requires an external USB keyboard for security reasons.

More information on hardware compatibility can be found on the Qubes OS System Requirements page, and information on specific systems can be found via the hardware compatibility list.

In order to print submissions, a supported non-networked printer is required. We have tested and recommend the HP LaserJet Pro M404n. More printer options will be added in future releases.

Lenovo X1 series laptops

Lenovo ThinkPad X1 Carbon (10th-generation)

The 10th-generation ThinkPad X1 Carbon with a 12th-generation Intel Core processor is a recommended option for the SecureDrop Workstation beginning with Qubes 4.1. If you plan to use it:

  • If your laptop has come with Ubuntu preinstalled, run its Software Updater twice as follows:

    1. to install software updates, especially for the fwupd package; and then

    2. to run fwupd to update the BIOS automatically.

    If Software Updater offers to run fwupd during step (1), decline until step (2), to make sure fwupd itself has received its latest security updates.

  • Otherwise, follow the instructions below to ensure that the BIOS is up to date.

You’ll need to have a USB-to-Ethernet adapter on hand in order to apply Qubes updates, which will enable Wi-Fi and fix glitchy video rendering and cursor performance.

Lenovo T series laptops

Lenovo ThinkPad T14 (2nd-generation)

The 2nd-generation ThinkPad T14 with an 11th-generation Intel Core processor is a recommended option for the SecureDrop Workstation beginning with Qubes 4.1. If you plan to use it:

  • If your laptop has come with Ubuntu preinstalled, run its Software Updater twice as follows:

    1. to install software updates, especially for the fwupd package; and then

    2. to run fwupd to update the BIOS automatically.

    If Software Updater offers to run fwupd during step (1), decline until step (2), to make sure fwupd itself has received its latest security updates.

  • Otherwise, follow the instructions below to ensure that the BIOS is up to date.

The Ethernet and Wi-Fi controllers may not work without one-time manual configuration, as documented in the following sections.

Ethernet controller

After Qubes starts for the first time, when sys-net fails to start, follow the instructions below for the Lenovo ThinkPad T490 (with 8th-generation Intel Core processor), but only for the dom0:00_1f.6 Ethernet device.

Lenovo ThinkPad T490 (with 8th-generation Intel Core processor)

The ThinkPad T490 with an 8th-generation Intel Core processor is a recommended option for the SecureDrop Workstation. If you plan to use it, you should follow the instructions below to ensure that the BIOS is up to date and adequately configured before proceeding with the installation.

Caution

The versions of the T490 with 10th generation Intel Core processors are at present untested and unsupported. The Workstation has been tested on models 20N2002AUS & 20N20046US.

Lenovo ThinkPad T480

The ThinkPad T480 is also a recommended option for SecureDrop Workstation, as it is being used by the core team for development and testing. If you plan to use it, you should follow the instructions below to ensure that the BIOS is up to date and adequately configured before proceeding with the installation:

Upgrading the BIOS on Lenovo ThinkPad laptops

The instructions below assume the use of a Linux-based computer for the creation of a BIOS upgrade USB. To upgrade the BIOS:

  • Locate the ThinkPad’s “machine type” in its BIOS setup program:

    1. Boot (or reboot) the ThinkPad and follow the prompts to enter setup, usually via the <Enter> and <F1> keys.

    2. On the Main tab, look for the Machine Type Model. The first four characters, such as 20L5, 20L6, or 20S0, are the machine type.

  • Visit https://support.lenovo.com in the Linux-based computer. Type the machine type found above into the search bar, then press Enter.

  • In the “Product Home” page, select Drivers And Software and choose BIOS/UEFI.

  • Download the file called either BIOS Update (Bootable CD) or BIOS Update (Utility & Bootable CD).

Note

A Tails USB can be used for the verification and conversion process described below, but the Lenovo support site blocks requests over Tor, preventing the ISO download. To work around this, either:

  • download the BIOS ISO on a different computer and transfer it to Tails using a USB stick, or

  • download the ISO in Tails using the Unsafe Browser as follows:

    • Start Tails with an administration password set and the Unsafe Browser enabled under “Additional Settings” on the Welcome Screen.

    • Open the Unsafe Browser: Applications > Internet > Unsafe Browser and find and download the ISO

    • Note the filename, as you’ll need it for subsequent steps.

    • Leave the Unsafe Browser running, and open a terminal via Applications > System Tools > Terminal.

    • Copy the ISO to the desktop with the command:

      sudo cp /var/lib/unsafe-browser/chroot/home/clearnet/Downloads/<fileName.iso> ~amnesia/Desktop

    • Fix the ISO file’s ownership with the command:

      sudo chown amnesia:amnesia ~amnesia/Desktop/<fileName.iso>

  • Verify the checksum of the downloaded ISO file using the following command, comparing it against the checksum in the file listing above:

    sha256sum /path/to/downloaded.iso

  • Create a USB-bootable version of the ISO using the command:

    geteltorito <path/to/CDISO> > usb-bios.iso

    Note

    To install the geleltorito utility on Debian-based systems, use the command

    sudo apt install genisoimage

    To install it on Fedora-based systems, use the command:

    sudo dnf install geteltorito genisoimage

  • Plug in a USB and check its device name with the lsblk command - use the root device name below, not a partition (eg. /dev/sdc instead of /dev/sdc1).

  • Write the BIOS update ISO to the USB using the following command:

    sudo dd if=usb-bios.iso of=/dev/sdX bs=1M && sync

    where sdX is the device name verified above.

    Caution

    The dd command will wipe data on the targeted device. Make sure that you use the correct device name.

    Once complete, remove the USB.

  • Plug the USB into the ThinkPad.

  • Boot the ThinkPad and follow the prompts to enter its startup and boot menus, likely via the <Enter> and <F12> keys, respectively.

  • Follow the on-screen instructions to update the BIOS, including any mandatory reboots. Note that the instructions may refer to an update CD instead of your update USB.

USB-C ports

If you intend to use USB-C ports, please note that our recommended BIOS settings will disable dual USB-C/Thunderbolt ports (recognizable by the Thunderbolt logo next to the port). The T480, for example, includes two USB-C ports, specified as follows:

  • 1 x USB 3.1 Gen 1 Type-C (Power Delivery, DisplayPort, Data transfer)

  • 1 x USB 3.1 Gen 2 Type-C / Intel Thunderbolt 3 (Power Delivery, DisplayPort, Data transfer)

The first of these ports will continue to function as a USB-C port. After disabling Thunderbolt, the second port can no longer be used for Thunderbolt or for USB-C data transfer, but it can still be used for power delivery (i.e. to plug in your AC adapter). If you are unsure about the features of your laptop’s USB-C ports, or if you are using a different make or model, please consult the technical specifications of your laptop for further information.

Previous Next

© Copyright 2020-2022, Freedom of the Press Foundation and Contributors.

Built with Sphinx using a theme provided by Read the Docs.