Incorporate review feedback and add fix for #175

Signed-off-by: ro <[email protected]>

docs/backup_and_restore.rst

@@ -204,7 +204,7 @@ Migrating Using a V2+V3 or V3-Only Backup
       find ~/.ssh/ -type f -exec mv {} {}.bak \;
 
    .. note::
-      You will be generatating fresh SSH credentials for the servers, and any
+      You will be generating fresh SSH credentials for the servers, and any
       other *Admin Workstation* USBs will have to be 
       :ref:`provisioned with updated credentials <repair_admin_usbs>`.
 
@@ -285,9 +285,9 @@ Migrating Using a V2+V3 or V3-Only Backup
       cp $SD_OLD/sd.{crt,key} $SD_NEW/
       cp $SD_OLD/ca.crt $SD_NEW/
 
-#. If you are migrating to new hardware, ensure your old servers have been
-   decommissioned and/or destroyed by following the relevant sections of
-   :doc:`our decommissioning documentation <decommission>`.
+#. Ensure your *Admin Workstation* is connected to a LAN port on your
+   network firewall, and 
+   :ref:`configure the Admin Workstation's IP address <assign_static_ip_to_workstation>`. 
 
 #. Install Ubuntu 20.04 on the *Application* and *Monitor Servers*, following
    the :doc:`server setup instructions<servers>` to install with the correct
@@ -338,6 +338,10 @@ Migrating Using a V2+V3 or V3-Only Backup
 #. :doc:`Test the new instance <test_the_installation>` to verify that the
    web interfaces are available and the servers can be reached via SSH.
 
+#. If you have migrated to new hardware, ensure your old servers have been
+   decommissioned and/or destroyed by following the relevant sections of
+   :doc:`our decommissioning documentation <decommission>`.
+
 .. _repair_admin_usbs:
 
 Repair Additional Admin Workstations
@@ -348,37 +352,50 @@ valid SSH credentials and will need to be repaired. In these steps, the "primary
 *Admin Workstation*" is the one which you used to complete the above migration 
 process.
 
-#. Prepare a fresh :doc:`Transfer Device <set_up_transfer_and_export_device>`.
-   In this case, use LUKS encryption and set a strong (7-word diceware) 
-   passphrase, which you may record in your primary *Admin Workstation*
+#. Prepare a fresh  
+   :doc:`LUKS-encryped USB <set_up_transfer_and_export_device>`.
+   You may record the passphrase in your primary *Admin Workstation*
    KeePassXC password manager. 
 
 #. Copy the following files from your primary *Admin Workstation* onto the
-   Transfer Device:
+   LUKS-encryped USB:
 
    - ``~/Persistent/securedrop/install_files/ansible-base/tor_v3_keys.json``
    - ``~/Persistent/securedrop/install_files/ansible-base/mon-ssh.auth_private``
    - ``~/.ssh/id_rsa.pub``
    - ``~/.ssh/id_rsa``
 
-#. Boot into each additional Admin Workstation, setting an administrative 
-   passphrase during startup. Once logged in, attach the Transfer Device
+   .. note::
+      Alternatively, if you wish to use different SSH credentials for each
+      *Admin Workstation*, you may do so. In this case, copy only the first two
+      files above to your additional *Admin Workstations*. 
+
+      Generate per-machine SSH keys and use a clean LUKS-encrypted USB drive
+      to transfer the public portions of those keys to your primary 
+      *Admin Workstation*, where you will then add them to the servers' 
+      ``authorized_keys`` files, as described :ref:`here <ssh_add_pubkey>`. 
+      You may also `contact Support`_ for assistance.
+
+#. Boot into each additional Admin Workstation. Set 
+   `an administration password`_ 
+   and unlock the persistent volume on the Tails welcome screen. 
+   Once logged in, attach the LUKS-encrypted USB
    and unlock it.
 
 #. Ensure that this Admin Workstation is using an up-to-date version of Tails
-   and is running the latest SecureDrop Application code, |version|.
+   and is running the latest SecureDrop application code, |version|.
 
-#. As you did with the primary *Admin Workstation* archive the existing 
+#. As you did with the primary *Admin Workstation*, archive the existing 
    SSH configuration:
 
    .. code:: sh
 
        find ~/.ssh/ -type f -exec mv {} {}.bak \;
 
-#. From the Transfer Device, copy ``~/.ssh/id_rsa`` and 
+#. From the LUKS-encrypted USB, copy ``~/.ssh/id_rsa`` and 
    ``~/.ssh/id_rsa.pub`` to the ``~/.ssh/`` directory. 
 
-#. From the Transfer Device, copy ``tor_v3_keys.json`` and 
+#. From the LUKS-encrypted USB, copy ``tor_v3_keys.json`` and 
    ``mon-ssh.auth_private`` to the 
    ``~/Persistent/securedrop/install_files/ansible-base`` directory. 
 
@@ -393,19 +410,12 @@ process.
    and ``ssh mon uptime``.       
 
 #. Once all *Admin Workstations* have been updated, securely wipe the files on 
-   the Transfer Device, by right-clicking them in the file manager and selecting 
-   **Wipe**. Do not skip this step. Then, reformat the Transfer device using the
+   the LUKS-encrypted USB, by right-clicking them in the file manager and selecting 
+   **Wipe**. Then, reformat the device using the
    **Disks** utility.   
 
-   .. note::
-      Alternatively, if you wish to use different SSH credentials for each
-      *Admin Workstation*, you may do so. In this case, use a clean Transfer
-      Device to transfer the public portions of those keys to your primary 
-      *Admin Workstation*, where you will add them to the servers' 
-      ``authorized_keys`` files, as described :ref:`here <ssh_add_pubkey>`. 
-      You may also `contact Support`_ for assistance.
-
 .. _contact Support: https://securedrop-support.readthedocs.io/en/latest/
+.. _an administration password: https://tails.boum.org/doc/first_steps/welcome_screen/administration_password
 
 .. _migrate_v2:
 
@@ -417,13 +427,16 @@ V2 onion services are no longer supported for new SecureDrop installs, so
 migration using a v2-only backup. However, it is possible to migrate submissions,
 source accounts, and journalist accounts. To do so, follow the steps below:
 
-.. note:: The instructions below assume that you are using the same *Admin Workstation*
-  that was used to manage your old instance. If you are using a new *Admin
-  Workstation* you will need to copy the directory ``~amnesia/Persistent/securedrop``
+.. note:: The instructions below assume that you are using the same 
+  *Admin Workstation*
+  that was used to manage your old instance. If you are using a new 
+  *Admin Workstation* you will need to copy the directory 
+  ``~amnesia/Persistent/securedrop``
   from the old workstation to the new workstation (using a *Transfer Device*)
   before proceeding.
 
-#. If you have not already done so, :ref:`back up the existing installation <backing_up>`.
+#. If you have not already done so, 
+   :ref:`back up the existing installation <backing_up>`.
    The instructions below assume that the backup has been created and
    renamed ``sd-backup-old.tar.gz``.
 
@@ -504,9 +517,9 @@ source accounts, and journalist accounts. To do so, follow the steps below:
       cp $SD_OLD/SecureDrop.asc $SD_NEW/
       cp $SD_OLD/ossec.asc $SD_NEW/
 
-#. If you are migrating to new hardware, ensure your old servers have been
-   decommissioned and/or destroyed by following the relevant sections of
-   :doc:`our decommissioning documentation <decommission>`.
+#. Ensure your *Admin Workstation* is connected to a LAN port on your
+   network firewall, and 
+   :ref:`configure the Admin Workstation's IP address <assign_static_ip_to_workstation>`. 
 
 #. Install Ubuntu 20.04 on the *Application* and *Monitor Servers*, following
    the :doc:`server setup instructions<servers>` to install with the correct
@@ -544,6 +557,10 @@ source accounts, and journalist accounts. To do so, follow the steps below:
    *Admin Workstations* will be out of date, and will need to be 
    :ref:`updated <update_tails_v3>`.  
 
+#. If you have migrated to new hardware, ensure your old servers have been
+   decommissioned and/or destroyed by following the relevant sections of
+   :doc:`our decommissioning documentation <decommission>`.
+
 .. _additional_restore_info:
 
 Additional Information