diff --git a/docs/backup_and_restore.rst b/docs/backup_and_restore.rst index 59e087d7c..2557864e6 100644 --- a/docs/backup_and_restore.rst +++ b/docs/backup_and_restore.rst @@ -205,7 +205,7 @@ Migrating Using a V2+V3 or V3-Only Backup .. note:: You will be generating fresh SSH credentials for the servers, and any - other *Admin Workstation* USBs will have to be + other *Admin Workstation* USBs will have to be :ref:`provisioned with updated credentials `. #. Re-clone the SecureDrop repository to the *Admin Workstation* using the following @@ -286,8 +286,8 @@ Migrating Using a V2+V3 or V3-Only Backup cp $SD_OLD/ca.crt $SD_NEW/ #. Ensure your *Admin Workstation* is connected to a LAN port on your - network firewall, and - :ref:`configure the Admin Workstation's IP address `. + network firewall, and + :ref:`configure the Admin Workstation's IP address `. #. Install Ubuntu 20.04 on the *Application* and *Monitor Servers*, following the :doc:`server setup instructions` to install with the correct @@ -349,70 +349,70 @@ Repair Additional Admin Workstations If you have additional *Admin Workstation* USBs, they will no longer have valid SSH credentials and will need to be repaired. In these steps, the "primary -*Admin Workstation*" is the one which you used to complete the above migration +*Admin Workstation*" is the one which you used to complete the above migration process. -#. Prepare a fresh - :doc:`LUKS-encryped USB `. +#. Prepare a fresh + :doc:`LUKS-encrypted USB `. You may record the passphrase in your primary *Admin Workstation* - KeePassXC password manager. + KeePassXC password manager. #. Copy the following files from your primary *Admin Workstation* onto the - LUKS-encryped USB: - + LUKS-encrypted USB: + - ``~/Persistent/securedrop/install_files/ansible-base/tor_v3_keys.json`` - ``~/Persistent/securedrop/install_files/ansible-base/mon-ssh.auth_private`` - ``~/.ssh/id_rsa.pub`` - - ``~/.ssh/id_rsa`` + - ``~/.ssh/id_rsa`` |br| |br| .. note:: Alternatively, if you wish to use different SSH credentials for each *Admin Workstation*, you may do so. In this case, copy only the first two - files above to your additional *Admin Workstations*. + files above to your additional *Admin Workstations*. Generate per-machine SSH keys and use a clean LUKS-encrypted USB drive - to transfer the public portions of those keys to your primary - *Admin Workstation*, where you will then add them to the servers' - ``authorized_keys`` files, as described :ref:`here `. + to transfer the public portions of those keys to your primary + *Admin Workstation*, where you will then add them to the servers' + ``authorized_keys`` files, as described :ref:`here `. You may also `contact Support`_ for assistance. -#. Boot into each additional Admin Workstation. Set - `an administration password`_ - and unlock the persistent volume on the Tails welcome screen. +#. Boot into each additional *Admin Workstation*. Set + `an administration password`_ + and unlock the persistent volume on the Tails welcome screen. Once logged in, attach the LUKS-encrypted USB and unlock it. -#. Ensure that this Admin Workstation is using an up-to-date version of Tails +#. Ensure that this *Admin Workstation* is using an up-to-date version of Tails and is running the latest SecureDrop application code, |version|. - -#. As you did with the primary *Admin Workstation*, archive the existing + +#. As you did with the primary *Admin Workstation*, archive the existing SSH configuration: .. code:: sh find ~/.ssh/ -type f -exec mv {} {}.bak \; -#. From the LUKS-encrypted USB, copy ``~/.ssh/id_rsa`` and - ``~/.ssh/id_rsa.pub`` to the ``~/.ssh/`` directory. +#. From the LUKS-encrypted USB, copy ``~/.ssh/id_rsa`` and + ``~/.ssh/id_rsa.pub`` to the ``~/.ssh/`` directory. -#. From the LUKS-encrypted USB, copy ``tor_v3_keys.json`` and - ``mon-ssh.auth_private`` to the - ``~/Persistent/securedrop/install_files/ansible-base`` directory. +#. From the LUKS-encrypted USB, copy ``tor_v3_keys.json`` and + ``mon-ssh.auth_private`` to the + ``~/Persistent/securedrop/install_files/ansible-base`` directory. #. In the Terminal, type the following commands: - + .. code:: sh cd ~/Persistent/securedrop ./securedrop-admin tailsconfig -#. Test connectivity to each server by running ``ssh app uptime`` - and ``ssh mon uptime``. +#. Test connectivity to each server by running ``ssh app uptime`` + and ``ssh mon uptime``. -#. Once all *Admin Workstations* have been updated, securely wipe the files on - the LUKS-encrypted USB, by right-clicking them in the file manager and selecting +#. Once all *Admin Workstations* have been updated, securely wipe the files on + the LUKS-encrypted USB, by right-clicking them in the file manager and selecting **Wipe**. Then, reformat the device using the - **Disks** utility. + **Disks** utility. .. _contact Support: https://securedrop-support.readthedocs.io/en/latest/ .. _an administration password: https://tails.boum.org/doc/first_steps/welcome_screen/administration_password @@ -427,15 +427,15 @@ V2 onion services are no longer supported for new SecureDrop installs, so migration using a v2-only backup. However, it is possible to migrate submissions, source accounts, and journalist accounts. To do so, follow the steps below: -.. note:: The instructions below assume that you are using the same +.. note:: The instructions below assume that you are using the same *Admin Workstation* - that was used to manage your old instance. If you are using a new - *Admin Workstation* you will need to copy the directory + that was used to manage your old instance. If you are using a new + *Admin Workstation* you will need to copy the directory ``~amnesia/Persistent/securedrop`` from the old workstation to the new workstation (using a *Transfer Device*) before proceeding. -#. If you have not already done so, +#. If you have not already done so, :ref:`back up the existing installation `. The instructions below assume that the backup has been created and renamed ``sd-backup-old.tar.gz``. @@ -518,8 +518,8 @@ source accounts, and journalist accounts. To do so, follow the steps below: cp $SD_OLD/ossec.asc $SD_NEW/ #. Ensure your *Admin Workstation* is connected to a LAN port on your - network firewall, and - :ref:`configure the Admin Workstation's IP address `. + network firewall, and + :ref:`configure the Admin Workstation's IP address `. #. Install Ubuntu 20.04 on the *Application* and *Monitor Servers*, following the :doc:`server setup instructions` to install with the correct @@ -554,8 +554,8 @@ source accounts, and journalist accounts. To do so, follow the steps below: old instance's data and accounts will now be available. #. As part of this process, your .onion URLs have changed, and *Journalist* and - *Admin Workstations* will be out of date, and will need to be - :ref:`updated `. + *Admin Workstations* will be out of date, and will need to be + :ref:`updated `. #. If you have migrated to new hardware, ensure your old servers have been decommissioned and/or destroyed by following the relevant sections of @@ -590,3 +590,6 @@ If you require any assistance with migration or data recovery, please `contact Support`_. .. _contact Support: https://securedrop-support.readthedocs.io/en/latest/ +.. |br| raw:: html + +