Overhaul Transfer Device and export recommendations

Resolves #4620 Resolves #4646 Resolves #4434 Resolves #4670 In addition to introducing the Transfer and Export Device, this commit clearly breaks out optional hardware into its own checklist, more strongly recommends purchase of a printer, and strengthens recommendations for malware mitigation. It removes some outdated recommendations and a reference to storing the journalist's GPG passphrase in KeePassX (not mentioned anywhere else). It removes instructions for journalists to set up individual GPG keys, as they are unlikely to be followed, and the more critical recommendation is to ensure tha the Export Device is encrypted. It updates the overview diagram and data flow diagram consistent with the above changes. This update also makes the diagrams more consistent with terminology and current practices. It removes OnionShare from the data flow diagram, as it is not currently mentioned elsewhere in the docs.
freedomofpress · Sep 12, 2019 · 948039b · 948039b
1 parent ed53840
commit 948039b
Show file tree

Hide file tree

Showing 29 changed files with 1,858 additions and 1,658 deletions.
diff --git a/docs/checklists/pre_install_hardware.rst b/docs/checklists/pre_install_hardware.rst
@@ -5,6 +5,10 @@ This is the *minimum* hardware that must be acquired to install SecureDrop:
 
 .. include:: ../includes/pre-install-hardware.txt
 
+Additionally, you may want to consider the following purchases:
+
+.. include:: ../includes/pre-install-hardware-optional.txt
+
 .. important:: To avoid hardware compatibility issues, we strongly recommend
   adhering to our
   :ref:`specific hardware recommendations <Specific Hardware Recommendations>`.

diff --git a/docs/diagrams/README.md b/docs/diagrams/README.md
@@ -11,8 +11,7 @@ an entry here:
   [SecureDrop website FAQ][]. Up to date at the time of this writing.
   A symbolic link to the English version of the diagram
   (`SecureDrop-en.png`).
-- `SecureDrop.svg`: Multi-lingual SVG source file used to generate
-  `SecureDrop-*.png` files for the corresponding languages.
+- `SecureDrop-en.svg`: SVG used to generate the English version
 - `SecureDrop.vsdx`: The Microsoft Visio source file used to generate
   `SecureDrop-visio.png`. For context, see [#274][].
 - `SecureDrop-0.3-DFD.png`: A WIP DFD (data flow diagram) created for

diff --git a/docs/diagrams/SecureDrop-en.png b/docs/diagrams/SecureDrop-en.png
diff --git a/docs/diagrams/SecureDrop.svg → docs/diagrams/SecureDrop-en.svg b/docs/diagrams/SecureDrop.svg → docs/diagrams/SecureDrop-en.svg
diff --git a/docs/diagrams/SecureDrop-ru.png b/docs/diagrams/SecureDrop-ru.png
diff --git a/docs/diagrams/SecureDrop_DataFlow.draw b/docs/diagrams/SecureDrop_DataFlow.draw
diff --git a/docs/diagrams/SecureDrop_DataFlow.png b/docs/diagrams/SecureDrop_DataFlow.png
diff --git a/docs/generate_submission_key.rst b/docs/generate_submission_key.rst
@@ -96,5 +96,4 @@ workstation.
 .. |Export Key| image:: images/install/exportkey.png
 .. |Export Key 2| image:: images/install/exportkey2.png
 .. |Fingerprint| image:: images/install/fingerprint.png
-.. |Nautilus| image:: images/nautilus.png
 .. |Terminal| image:: images/terminal.png
diff --git a/docs/glossary.rst b/docs/glossary.rst
@@ -149,21 +149,20 @@ authentication for devices. We recommend using one of:
 
 Transfer Device
 ---------------
-
-The *Transfer Device* is the physical media used to transfer encrypted
-documents from the *Journalist Workstation* to the *Secure Viewing
-Station*. Examples: a dedicated USB stick, CD-R, DVD-R, or SD card.
-
-If you use a USB stick for the *Transfer Device*, we recommend using a
-small one (4GB or less). It will be necessary to securely wipe the entire
-device at times, and this process takes longer for larger devices.
-
-Depending on your threat model, you may wish to only use one-time-use
-media (such as CD-R or DVD-R) for transferring files to and from the
-*SVS*. While doing so is cumbersome, it reduces the risk of malware (that
-could be run simply by opening a malicious submission) exfiltrating
-sensitive data, such as the private key used to decrypt submissions or
-the content of decrypted submissions.
-
-When we use the phrase "sneakernet" we mean physically moving documents
-with the *Transfer Device* from one computer to another.
+The *Transfer Device* is the physical media (e.g., designated USB drive) used
+to transfer encrypted documents from the *Journalist Workstation* to the
+*Secure Viewing Station*, where they can be decrypted.
+
+Please see the detailed security recommendations for the choice, configuration
+and use of your *Transfer Device* in the :doc:`journalist guide <journalist>`
+and in the :doc:`setup guide <set_up_transfer_device>`.
+
+Export Device
+-------------
+The *Export Device* is the physical media (e.g., designated USB drive) used to
+transfer decrypted documents from the *Secure Viewing Station* to a journalist's
+everyday workstation, or to another computer for additional processing.
+
+Please see the detailed security recommendations for the choice, configuration
+and use of your *Export Device* in the :doc:`journalist guide <journalist>`
+and in the :doc:`setup guide <set_up_transfer_device>` .
diff --git a/docs/hardware.rst b/docs/hardware.rst
diff --git a/docs/images/install/importkey.png b/docs/images/install/importkey.png
diff --git a/docs/images/manual/unlock-veracrypt-in-tails-1.png b/docs/images/manual/unlock-veracrypt-in-tails-1.png
diff --git a/docs/images/manual/unlock-veracrypt-in-tails-2.png b/docs/images/manual/unlock-veracrypt-in-tails-2.png
diff --git a/docs/images/manual/unlock-veracrypt-in-tails-3.png b/docs/images/manual/unlock-veracrypt-in-tails-3.png
diff --git a/docs/images/manual/unlock-veracrypt-in-tails-4.png b/docs/images/manual/unlock-veracrypt-in-tails-4.png
diff --git a/docs/images/manual/viewing6.png b/docs/images/manual/viewing6.png
diff --git a/docs/images/manual/viewing7.png b/docs/images/manual/viewing7.png
diff --git a/docs/images/manual/viewing8.png b/docs/images/manual/viewing8.png
diff --git a/docs/images/screenshots/passphrase-keyring.png b/docs/images/screenshots/passphrase-keyring.png
diff --git a/docs/includes/encrypting-drives.txt b/docs/includes/encrypting-drives.txt
@@ -0,0 +1,9 @@
+.. important::
+
+   Like all storage media associated with SecureDrop, this drive should be
+   encrypted and protected with a secure passphrase. We recommend using the
+   tools built into Tails to `encrypt the drive using LUKS <https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html>`__.
+
+   If you are planning to use hardware RAID and/or hardware-based encryption,
+   we recommend that you research Tails compatibility before a procurement
+   decision.
diff --git a/docs/includes/pre-install-hardware-optional.txt b/docs/includes/pre-install-hardware-optional.txt
@@ -0,0 +1,15 @@
+* a printer without wireless network support, to use in combination with the
+  *Secure Viewing Station*.
+* an external hard drive to expand the storage capacity of the
+  *Secure Viewing Station*.
+* an external hard drive for server backups.
+* a USB drive to store :ref:`backups of your Tails workstation drives <backup_workstations>`.
+* a network switch, if you use a firewall with fewer than four ports.
+* a hardware token for HOTP authentication, such as a YubiKey, if you want to
+  use hardware-based two-factor authentication instead of a mobile app.
+* a write blocker or USB drive with a physical write protection switch, if you
+  want to mitigate the risk of introducing malware from your network to your
+  *Secure Viewing Station* during repeated use of an *Export Device*.
+* CD-R/DVD-R writers, if you want to use CD-Rs/DVD-Rs as transfer or export
+  media, and a CD shredder that can destroy media consistent with your threat
+  model.
diff --git a/docs/includes/pre-install-hardware.txt b/docs/includes/pre-install-hardware.txt
@@ -1,12 +1,13 @@
 * 2 computers with memory and hard drives to use as the SecureDrop servers.
 * Mouse, keyboard, monitor (and necessary dongle or adapter) for
   installing the servers.
-* Dedicated physical computers for the Admin, Journalist, and Secure Viewing
-  Station that can boot to Tails. At *minimum* this is 2 computers.
+* At least 2 dedicated physical computers that can boot to Tails: one
+  computer for the *Secure Viewing Station*, and one or more computers for the
+  *Admin Workstation(s)/Journalist Workstation(s)*.
 * Dedicated airgapped hardware for the mouse, keyboard, and monitor (only if you
-  are using a desktop for the Secure Viewing Station).
+  are using a desktop for the *Secure Viewing Station*).
 * Network firewall.
 * At least 3 ethernet cables.
 * Plenty of USB sticks: 1 drive for the master Tails stick, 1 drive for each
-  Secure Viewing Station, 1 drive for each Transfer drive, and 1 drive for each
-  admin and journalist.
+  Secure Viewing Station, 1 drive for each *Transfer Device*, 1 drive for each
+  *Export Device*, and 1 drive for each admin and journalist.