From dc451100c8ced4288f3400c6ba14768f6e52e8ea Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Tue, 5 May 2020 16:54:58 -0700 Subject: [PATCH] Tweaks and clarifications per review - Noted sd-devices auto-attach behavior in setup docs - Clarified how to copy logs by example - Changed intra-VM copying description to a more neutral example --- docs/admin/install.rst | 4 +++- docs/admin/managing_clipboard.rst | 4 ++-- docs/admin/reviewing_logs.rst | 10 ++++++++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/docs/admin/install.rst b/docs/admin/install.rst index f522b5b..2be9dd6 100644 --- a/docs/admin/install.rst +++ b/docs/admin/install.rst @@ -387,7 +387,9 @@ You can now choose between creating a new password database or importing an exis We recommend reviewing each section of the password database before giving other users access to the workstation. -To import an existing database, attach the required USB drive (typically a *Journalist Workstation* USB) to the ``vault`` VM, similar to the process described in :ref:`copy_journalist`. You can use the file manager (**Q > Domain: vault > Files**) to unlock the USB drive and copy the password database (typically a file like ``keepass.kdbx`` in the directory ``Persistent``) to your user directory, and then detach the USB drive. +To import an existing database, attach the required USB drive (typically a *Journalist Workstation* USB) to the ``vault`` VM, similar to the process described in :ref:`copy_journalist`. Note that you may have to detach the USB drive from the ``sd-devices`` VM, first, which will attempt to automatically attach USB storage devices and printers for use by SecureDrop Workstation. + +Once the USB drive is attached to ``vault``, you can use the file manager (**Q > Domain: vault > Files**) to unlock the USB drive and copy the password database (typically a file like ``keepass.kdbx`` in the directory ``Persistent``) to your user directory, and then detach the USB drive. When importing a passwordless database, KeePassXC may warn you every time about opening the database without a password. Similarly, when creating a new password database, KeePassXC will prompt you to protect it with a password, and will refuse to accept a blank password. diff --git a/docs/admin/managing_clipboard.rst b/docs/admin/managing_clipboard.rst index aca796e..994d332 100644 --- a/docs/admin/managing_clipboard.rst +++ b/docs/admin/managing_clipboard.rst @@ -3,9 +3,9 @@ Managing Clipboard Access .. include:: ../includes/top-warning.rst -Every VM in Qubes has its own clipboard, similar to the clipboard of a Mac, Windows or Linux computer. For example, if you wanted to create a boilerplate "Thank you" message for replies to sources, you could create a textfile in the ``sd-app`` VM and copy its contents to the SecureDrop Client using ``Ctrl+C`` (copy) and ``Ctrl+V`` (paste) keyboard shortcuts. +Every VM in Qubes has its own clipboard, similar to the clipboard of a Mac, Windows or Linux computer. For example, if you used the default ``work`` VM to browse the web and wanted to copy text from one browser window to another, you would use the ``Ctrl+C`` and ``Ctrl+V`` keyboard shortcuts to copy and paste. This type of clipboard usage -- copy and paste in the same VM -- also works in all VMs that are part of SecureDrop Workstation. -Qubes also supports copying information *between* VMs. This is done by using `special keyboard shortcuts `_, ``Ctrl+Shift+C`` and ``Ctrl+Shift+V``, in a four-step process. By default, this is disabled for all VMs that are part of SecureDrop Workstation, consistent with the `principle of least privilege `__. +In addition, Qubes supports copying information *between* VMs. This is done by using `special keyboard shortcuts `_, ``Ctrl+Shift+C`` and ``Ctrl+Shift+V``, in a four-step process. By default, this is disabled for all VMs that are part of SecureDrop Workstation, consistent with the `principle of least privilege `__. As an administrator, you should be aware of the following risks related to clipboard access before changing the default configuration: diff --git a/docs/admin/reviewing_logs.rst b/docs/admin/reviewing_logs.rst index eb6a6c5..e07218e 100644 --- a/docs/admin/reviewing_logs.rst +++ b/docs/admin/reviewing_logs.rst @@ -13,7 +13,7 @@ If you want to selectively enable copying logs to a single VM, you can use tags, .. important:: - Before copying logs to a networked VM, we recommend carefully inspecting them for sensitive information, and potentially redacting them + Before copying logs to a networked VM, we recommend carefully inspecting them for sensitive information, and potentially redacting them. To enable copying logs to a target VM, you can use a command like the following in ``dom0``, substituting ```` with the name of the target VM (e.g., ``work``): @@ -33,4 +33,10 @@ To remove the permission, use this command in ``dom0``: qvm-tags del sd-receive-logs -With the permission in effect, you can use the command ``qvm-copy`` in a terminal in ``sd-log`` to copy individual files to the target VM. +With the permission in effect, you can use the command ``qvm-copy`` in a terminal in ``sd-log`` to copy individual files to the target VM. For example, to copy a file ``syslog-redacted.log``, you would use this command: + +.. code-block:: sh + + qvm-copy syslog-redacted.log + +A graphical prompt will permit you to select any target VM that has the ``sd-receive-logs`` tag. Once successfully copied, the file can be found in the directory ``~/QubesIncoming/sd-log`` in the target VM. See the `Qubes OS documentation on copying files `__ for more information.