SecureDrop Workstation v: stable
Versions
stable
latest
Downloads
PDF
A project of Freedom of the Press Foundation · Privacy Policy
SecureDrop Workstation Logo

Overview

  • Introduction
  • SecureDrop Workstation Architecture
  • SecureDrop Workstation Project Status
  • Limitations and known issues
  • Supported Filetypes

Journalist Guide

  • Starting Qubes
  • Starting the SecureDrop Client
  • Communicating with sources
  • Working with submissions
  • Ending your session
  • FAQ

Admin Guide: Installation

  • SecureDrop Workstation Installation Overview
  • Pre-install Tasks
  • Installing SecureDrop Workstation
  • Troubleshooting Installation Errors

Admin Guide: Reference

  • Recommended hardware
    • Qubes OS hardware requirements
    • Choosing a laptop
      • Qubes-certified laptops
      • FPF-tested laptops
        • Framework 13 (Intel Core Ultra Series 1)
        • Framework 13 (13th-generation)
        • Lenovo ThinkPad X1 Carbon (10th-generation)
        • Lenovo ThinkPad T14 (2nd-generation)
      • The Qubes Hardware Compatibility List (HCL)
    • Choosing a printer
  • Keeping the Workstation secure
  • Managing Clipboard Access
  • Reviewing and exporting logs
  • Troubleshooting connection problems
  • Troubleshooting system updates
  • Provisioning Export USB devices
  • Backup and Restore
  • Upgrading the BIOS on Lenovo ThinkPad laptops
  • Forensic Backups
SecureDrop Workstation
  • Recommended hardware
  • Edit on GitHub

Recommended hardware

Qubes OS hardware requirements

In order to install and use SecureDrop Workstation, you will need a Qubes-Compatible computer with the following specifications:

  • 64-bit Intel processor with virtualization support

  • a minimum of 32GB RAM

  • sufficient disk space for the Qubes OS base install and SecureDrop Workstation VMs (a 128GB or greater SSD is recommended)

More information on hardware compatibility can be found on the Qubes OS System Requirements page.

Choosing a laptop

We recommend against a device that requires an external USB keyboard or other externally-connected devices, for security reasons. In practice this usually means that you should run SecureDrop Workstation on a Qubes-compatible laptop. Not all laptops support Qubes, and some may require additional customization. We recommend (in order) either a Qubes-certified laptop, one of the laptop models we use for development and testing, or a computer from the community-maintained Qubes Hardware compatibility list.

Qubes-certified laptops

Qubes-certified laptops are certified and tested against Qubes major releases. They must support additional security features beyond the minimal requirements above, such as the use of coreboot in place of proprietary firmware. Where possible, we recommend that you use a Qubes-certified laptop with coreboot for SecureDrop Workstation. A full list of certified computers can be found on the Qubes OS Certified Hardware page.

Note

Some certified computers also support the use of Heads with coreboot, for additional protection against advanced attacks during the boot process. Heads adds a layer of complexity to the overall user experience, but may make sense for you as an option if you have an expectation of those kinds of threats. If you have questions about Heads, or other hardware choices, contact us via the SecureDrop support portal.

FPF-tested laptops

In addition to Qubes-certified devices, we develop and test using Qubes-compatible laptops from other vendors. The following models may be used for SecureDrop Workstation, though some level of additional configuration may be required.

Framework 13 (Intel Core Ultra Series 1)

The Framework 13 laptop with an Intel Core Ultra Series 1 processor is a recommended option for the SecureDrop Workstation beginning with Qubes 4.2.

You can either order a preassmbled system, or you can customize your build and assemble the laptop yourself once it is delivered, which is useful as either a cost-saving measure or in the event that you wish to customize the ports or internal components.

Framework laptops are designed to be repairable, customizable, and user-servicable, and have grown to be a popular choice with Qubes users and SecureDrop developers.

You will want to ensure you are using the latest BIOS version available. Instructions for checking the BIOS version and performing an upgrade for the Intel Core Ultra Series 1 models can be found on this page in the Framework knowledgebase.

Note

You’ll want to be sure to install Qubes OS using the kernel-latest option, available from the initial boot menu (GRUB) prior to booting to the Qubes OS installer.

Framework 13 (13th-generation)

The Framework 13 laptop with a 13th generation Intel processor is a recommended option for the SecureDrop Workstation beginning with Qubes 4.2.

You can either order a preassmbled system, or you can customize your build and assemble the laptop yourself once it is delivered, which is useful as either a cost-saving measure or in the event that you wish to customize the ports or internal components.

Framework laptops are designed to be repairable, customizable, and user-servicable, and have grown to be a popular choice with Qubes users and SecureDrop developers.

You will want to ensure you are using the latest BIOS version available. Instructions for checking the BIOS version and performing an upgrade for the 13th generation models can be found here in the Framework knowledgebase.

Lenovo ThinkPad X1 Carbon (10th-generation)

The 10th-generation ThinkPad X1 Carbon with a 12th-generation Intel Core processor is a recommended option for the SecureDrop Workstation beginning with Qubes 4.1. If you plan to use it:

  • If your laptop has come with Ubuntu preinstalled, run its Software Updater twice as follows:

    1. to install software updates, especially for the fwupd package; and then

    2. to run fwupd to update the BIOS automatically.

    If Software Updater offers to run fwupd during step (1), decline until step (2), to make sure fwupd itself has received its latest security updates.

  • Otherwise, follow the instructions below to ensure that the BIOS is up to date.

You’ll need to have a USB-to-Ethernet adapter on hand in order to apply Qubes updates, which will enable Wi-Fi and fix glitchy video rendering and cursor performance.

Lenovo ThinkPad T14 (2nd-generation)

The 2nd-generation ThinkPad T14 with an 11th-generation Intel Core processor is a recommended option for the SecureDrop Workstation beginning with Qubes 4.1. If you plan to use it:

  • If your laptop has come with Ubuntu preinstalled, run its Software Updater twice as follows:

    1. to install software updates, especially for the fwupd package; and then

    2. to run fwupd to update the BIOS automatically.

    If Software Updater offers to run fwupd during step (1), decline until step (2), to make sure fwupd itself has received its latest security updates.

  • Otherwise, ensure the BIOS is up-to date by following these instructions: Upgrading the BIOS on Lenovo ThinkPad laptops.

The Ethernet and Wi-Fi controllers may not work without one-time manual configuration, as documented in the following sections.

Ethernet controller

After Qubes starts for the first time, when sys-net fails to start, follow the troubleshooting instructions for “Unable to reset PCI device”, but only for the dom0:00_1f.6 Ethernet device.

The Qubes Hardware Compatibility List (HCL)

The Qubes Hardware Compatibility List (HCL) is a community-maintained list of hardware that has been tested by Qubes users. It consists of individual reports generated and submitted by Qubes users across the world. Anyone can attempt to install Qubes on their computer, then report back on whether or not it can be installed, if there are any issues, and overall, what the experience is like.

There are some benefits to this list:

  • A much wider selection of hardware is tested, because anyone can contribute to the list

  • There are sometimes multiple reports for a particular system, which lets you compare and feel confident the results are consistent

  • It tells you exactly what is and isn’t working within the system, so you can decide if a device you own will function well enough to suit your needs

  • Devices get tested across many different configurations and Qubes versions

However, there are some things to consider:

  • Reports are not verified for their accuracy by either the Qubes team or Freedom of the Press Foundation

  • Reports correspond to a specific Qubes OS version, and may not reflect breaking changes or expanded hardware support in the most recent Qubes OS version

For the best experience, we recommend choosing a Qubes-certified laptop, or a laptop that we have directly tested (in that order); however, if none of those suit your needs, or if you want to see if your existing hardware might be Qubes compatible, the HCL is a good choice.

Choosing a printer

In order to print submissions, a supported non-networked printer is required. We have tested and recommend the HP LaserJet Pro M404n. More printer options will be added in future releases.

Previous Next

© Copyright 2020-2022, Freedom of the Press Foundation and Contributors.

Built with Sphinx using a theme provided by Read the Docs.