Add Tails-4 appropriate documentation and screenshots for:

- Yubikey
- MAT2
- Veracrypt (Export device)
- Disks (Backup instructions)

docs/admin.rst

@@ -172,14 +172,13 @@ YubiKey
 
 If the journalist wishes to use a YubiKey for two-factor authentication,
 check the box next to "I'm using a YubiKey". You will then need to enter
-the OATH-HOTP Secret Key that your YubiKey is configured with. For more
+the OATH-HOTP Secret Key that their YubiKey is configured with. For more
 information, read the :doc:`YubiKey Setup Guide <yubikey_setup>`.
 
 |Enable YubiKey|
 
-Once you've configured your YubiKey and entered the Secret Key, click
-*Add user*. On the next page, enter a code from your YubiKey by
-inserting it into the workstation and pressing the button.
+Once you've configured the YubiKey and entered the Secret Key, click
+*Add user*. On the next page, have the journalist enter a code from their YubiKey by inserting it into the workstation and pressing the button.
 
 |Verify YubiKey|
 

docs/backup_workstations.rst

@@ -69,9 +69,11 @@ Fill out the form as follows:
 |Format Backup Drive|
 
 * **Erase**: `Don't overwrite existing data (Quick)`
-* **Type**: `Encrypted, compatible with Linux systems (LUKS + Ext4)`
+* **Type**: `Internal disk for use with other Linux systems only (Ext4)`, and make sure `Password protect volume (LUKS)` is checked
 * **Name**: `Backup`
 
+|Backup Drive Passphrase|
+
 .. warning:: Since this will serve as a long-term backup, **make sure to
  use a strong passphrase**.
 
@@ -123,12 +125,12 @@ Then, copy the contents of the device's persistent volume to the directory using
 
 
 .. note:: Please make sure to include the trailing ``/`` in the directory
-          paths in the command above, otherwise the files will not 
+          paths in the command above, otherwise the files will not
           be backed up correctly.
 
-Once complete, unmount the TailsData partition by clicking the Eject button 
-beside its entry in the lefthand column of the file manager. When its entry is 
-no longer shown in the lefthand column, it is save to remove the 
+Once complete, unmount the TailsData partition by clicking the Eject button
+beside its entry in the lefthand column of the file manager. When its entry is
+no longer shown in the lefthand column, it is save to remove the
 *Admin Workstation* USB.
 
 Repeat these steps for every device, making a new folder on the backup device
@@ -138,7 +140,7 @@ Finally, once you have completed the steps described in this section for each
 USB drive, unmount the Backup partition by clicking its Eject button. Wait until
 the Backup USB can be safely removed, and store it somewhere safely.
 
-.. note:: After the Eject button is clicked, it may be take some time before 
+.. note:: After the Eject button is clicked, it may be take some time before
           the drive can be safely removed. Wait until its entry  is removed from
           the lefthand column of the file manager.
 
@@ -147,13 +149,13 @@ the Backup USB can be safely removed, and store it somewhere safely.
 Restoring a Workstation from a Backup
 -------------------------------------
 
-To recreate a backed-up *Admin Workstation*, *Journalist Workstation*, or 
-*Secure Viewing Station* Tails USB,  you will need 
+To recreate a backed-up *Admin Workstation*, *Journalist Workstation*, or
+*Secure Viewing Station* Tails USB,  you will need
 
 - your Backup USB containing the persistent volume to be restored,
-- a blank USB stick to be set up as the new workstation USB,  
-- an airgapped machine and a USB with Tails already installed, referred to as 
-  the host Tails USB in this document. The host Tails USB is only used to 
+- a blank USB stick to be set up as the new workstation USB,
+- an airgapped machine and a USB with Tails already installed, referred to as
+  the host Tails USB in this document. The host Tails USB is only used to
   transfer files between the Backup USB and the new workstation USB.
 
 The process will require 3 USB ports - if necessary, you can use a USB hub. We
@@ -163,10 +165,10 @@ Prepare the new Tails USB
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Follow the guide to :ref:`creating a Tails USB <set_up_tails>` to install
-Tails and create a persistent volume on the blank USB stick to create the new 
+Tails and create a persistent volume on the blank USB stick to create the new
 workstation USB.
 
- 
+
 Open the Backup USB and new Tails Persistent Volume
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -185,35 +187,36 @@ will appear in the lefthand column.
 Copy the Backup to the New Workstation USB's Persistent Volume
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Open a terminal by navigating to **Applications** ▸ **Favorites** 
+Open a terminal by navigating to **Applications** ▸ **Favorites**
 ▸ **Terminal** . Next, use the ``rsync`` command to copy the appropriate backup
 folder to the new workstation USB's persistent volume. For example, if the backup
 folder to be copied is named ``admin-backup``, run the following command:
 
 .. code:: sh
- 
+
   sudo bash -c "rsync -a --info=progress2 --no-specials --no-devices \
       /media/amnesia/Backup/admin-backup/ /media/amnesia/TailsData/ && sync"
 
 .. note:: Please make sure to include the trailing ``/`` in the directory
-          paths in the command above, otherwise the backup files will not 
+          paths in the command above, otherwise the backup files will not
           be restored correctly.
 
 Once the command is complete, click the Eject button for the ``TailsData`` volume
 in the lefthand column of the file manager, wait for the ``TailsData`` entry to
 disappear from the column, and remove the new workstation USB.
 
-You may now repeat the restore process for any other USBs that you wish to 
-restore, or shut down the host Tails USB and test your new workstation USB by 
+You may now repeat the restore process for any other USBs that you wish to
+restore, or shut down the host Tails USB and test your new workstation USB by
 booting it with persistence unlocked and verifying its functionality.
 
 .. |Browse to Places Computer| image:: images/upgrade_to_tails_3x/browse_to_places_computer.png
-.. |Click Cogs| image:: images/upgrade_to_tails_3x/click_the_button_with_cogs.png
+.. |Click Cogs| image:: images/tails_4x/disks_format_partition.png
 .. |Fill in Passphrase| image:: images/upgrade_to_tails_3x/fill_in_passphrase.png
-.. |Format Backup Drive| image:: images/upgrade_to_tails_3x/fill_out_as_follows.png
+.. |Format Backup Drive| image:: images/tails_4x/format_backup_drive.png
+.. |Backup Drive Passphrase| image:: images/tails_4x/backup_drive_passphrase.png
 .. |Start Nautilus| image:: images/screenshots/root_terminal_nautilus_cli.png
 .. |Make Folders for All Drives| image:: images/upgrade_to_tails_3x/make_folders_for_all_drives.png
 .. |Backup and TailsData Mounted| image:: images/upgrade_to_tails_3x/backup_and_tailsdata_mounted.png
 .. |Applications Utilities Disks| image:: images/upgrade_to_tails_3x/navigate_to_applications.png
-.. |Select the Disk| image:: images/upgrade_to_tails_3x/select_the_disk.png
-.. |Two Partitions Appear| image:: images/upgrade_to_tails_3x/two_partitions_appear.png
+.. |Select the Disk| image:: images/tails_4x/disks_select_drive.png
+.. |Two Partitions Appear| image:: images/tails_4x/two_partitions_appear.png

docs/journalist.rst

@@ -287,11 +287,10 @@ delete the files from your device:
 To decrypt and view documents or messages, return to your **Persistent** folder.
 All key actions are initiated by double-clicking:
 
-- Double-clicking archives in ZIP or gzip format will open the "File Roller"
-  application, which allows you to extract the contents.
+- Double-clicking archives in ZIP or gzip format will open the "Archive Manager"
+  application (called "file-roller" on the command line), which allows you to extract the contents.
 
-- Double-clicking files that end in ``.gpg`` will attempt to decrypt the contents
-  to the same directory. If you have configured a passphrase for your
+- Double-clicking files that end in ``.gpg`` will attempt to decrypt the contents to the same directory. If you have configured a passphrase for your
   *Submission Key*, you will be prompted for it.
 
 - Double-clicking decrypted messages or documents will attempt to open them in a
@@ -305,7 +304,7 @@ a document with an incorrect or missing file extension.
 
 .. tip::
 
-   Always extract gzip archives with the "File Roller" application, which is
+   Always extract gzip archives with the "Archive Manager" application, which is
    the default when double-clicking the archive. Other methods may not preserve
    the filename contained in the archive.
 
@@ -439,27 +438,33 @@ highly sensitive submissions.
 Removing Metadata
 ~~~~~~~~~~~~~~~~~
 
-.. tip:: For detailed information about removing metadata from documents, check out
-         this in-depth `guide to removing metadata`_.
+.. tip:: For detailed information about removing metadata from documents, check out this in-depth `guide to removing metadata`_.
 
-Tails comes with the `Metadata Anonymisation Toolkit`_ (MAT) that
+Tails comes with the `Metadata Anonymisation Toolkit 2`_ (MAT2) that
 is used to help strip metadata from a variety of types of files,
 including png, jpg, OpenOffice/LibreOffice documents, Microsoft Office
 documents, pdf, tar, tar.bz2, tar.gz, zip, mp3, mp2, mp1, mpa, ogg,
-and flac. You can open MAT by clicking **Applications** ▸ **System Tools** ▸
-**MAT**.
+and flac. We recommend using this and other tools to work with documents within Tails for as much of your workflow as possible.
 
-We recommend always doing as much work as possible inside of Tails
-before working with documents on your everyday workstation. This includes
-stripping metadata with MAT.
+Tails 4 replaces MAT with MAT2, which is usable via the command line and via a context menu in the **Files** application (called "nautilus" on the command line).
 
-.. warning:: MAT is no longer actively maintained and **will not**
-             strip all metadata, even when the output claims the
-             document is clean. Some metadata are likely to persist:
-             you must **never** assume MAT has removed all metadata.
+You can use MAT2 via the **Files** application by browsing to **Places** ▸ **(Your file's location)** and right-clicking on your file. In the context menu, select **Remove metadata**.
 
-When you no longer need documents, you can right-click on them and
-choose **Wipe** to delete them.
+|mat2 context menu|
+
+Note that this does not alter the original file--it creates a clean copy.
+
+|mat2 cleaned|
+
+To use MAT2 on the command line, type ``man mat2`` to see a list of available actions you can take with MAT2. For example, you can view the metadata of a file with ``mat2 myfile --show``.
+
+|mat2 cli show|
+
+You can create a "clean" version of the document with ``mat2 myfile``, again noting that this does not erase the metadata on the original file. This is equivalent to the "Remove metadata" context menu option.
+
+Note that even after running MAT2, you should carefully inspect files to ensure that all metadata has been wiped, or convert them to a simpler file format (for example, converting a ``.xls`` file to a ``.csv``) to ensure that metadata is not left behind in error.
+
+When you no longer need documents, in the Files application, you can right-click on them and choose **Wipe** to securely delete them.
 
 |Wiping documents|
 
@@ -533,7 +538,7 @@ disclose details about the contents of any submission you have received.
 
 .. _`QR codes can contain malicious links`: https://securedrop.org/news/security-advisory-do-not-scan-qr-codes-submitted-through-securedrop-connected-devices
 .. _`working with sensitive documents`: https://tails.boum.org/doc/sensitive_documents/index.en.html
-.. _`Metadata Anonymisation Toolkit`: https://mat.boum.org/
+.. _`Metadata Anonymisation Toolkit 2`: https://mat.boum.org/
 
 Moving Documents to Your Everyday Workstation
 ---------------------------------------------
@@ -646,12 +651,17 @@ audio, and begin publishing important, high-impact work!
 .. |Sent reply| image:: images/manual/screenshots/journalist-composes_reply.png
 .. |Flag for reply button| image:: images/manual/screenshots/journalist-col_has_no_key.png
 .. |Flag for reply notification| image:: images/manual/screenshots/journalist-col_flagged.png
+
+.. |mat2 context menu| image:: images/manual/screenshots/mat2_context_menu.png
+.. |mat2 cleaned| image:: images/manual/screenshots/mat2_cleaned.png
+.. |mat2 cli show| image:: images/manual/screenshots/mat2_cli_show.png
+
 .. |Wiping documents| image:: images/manual/viewing5.png
 .. |Journalist account profile| image:: images/manual/screenshots/journalist-edit_account_user.png
-.. |Unlock VeraCrypt in Tails 1| image:: images/manual/unlock-veracrypt-in-tails-1.png
-.. |Unlock VeraCrypt in Tails 2| image:: images/manual/unlock-veracrypt-in-tails-2.png
-.. |Unlock VeraCrypt in Tails 3| image:: images/manual/unlock-veracrypt-in-tails-3.png
-.. |Unlock VeraCrypt in Tails 4| image:: images/manual/unlock-veracrypt-in-tails-4.png
+.. |Unlock VeraCrypt in Tails 1| image:: images/manual/unlock_veracrypt_in_tails_1.png
+.. |Unlock VeraCrypt in Tails 2| image:: images/manual/unlock_veracrypt_in_tails_2.png
+.. |Unlock VeraCrypt in Tails 3| image:: images/manual/unlock_veracrypt_in_tails_3.png
+.. |Unlock VeraCrypt in Tails 4| image:: images/manual/unlock_veracrypt_in_tails_4.png
 .. |br| raw:: html
 
     <br>

docs/set_up_transfer_and_export_device.rst

@@ -166,13 +166,13 @@ your new *Transfer Device* should be ready for use. If you haven't already, make
 sure to label it.
 
 .. |Disk Utility icon| image:: images/icons/disk-utility.png
-.. |screenshot of the Applications menu in Tails, highlighting Disk Utility| image:: images/screenshots/applications_accessories_disk-utility.png
+.. |screenshot of the Applications menu in Tails, highlighting Disk Utility| image:: images/tails_4x/disks_utility_applications_menu.png
 .. |screenshot of Disk Utility application| image:: images/screenshots/disk-utility.png
 .. |screenshot of the menu to create a new partition in the Disk Utility application| image:: images/screenshots/create-partition.png
 .. |screenshot of partition format options| image:: images/screenshots/disks_format_partition.png
 .. |screenshot of passphrase selection prompt in the Disk Utility application| image:: images/screenshots/create-passphrase.png
 
-.. [#] Tails screenshots were taken on Tails 4.0.0-rc1. Please make an issue on
+.. [#] Tails screenshots were taken on Tails 4.0.0. Please make an issue on
        GitHub if you are using the most recent version of Tails and the
        interface is different from what you see here.
 

docs/yubikey_setup.rst

@@ -12,11 +12,13 @@ requires some configuration steps using a separate software tool.
 What is a YubiKey?
 ------------------
 
-A YubiKey is a physical security key used for two-factor authentication. They
-are made by a company called Yubico and are `commercially available`_.
+A YubiKey is a physical token used for two-factor authentication. They
+are made by a company called Yubico and are `commercially available`_. Note that not all physical tokens are compatible with the YubiKey Personalization Tool; for this, you require `a key that can support OATH-HOTP`_.
 
 .. _`commercially available`: https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key
 
+.. _`a key that can support OATH-HOTP`: https://support.yubico.com/support/solutions/articles/15000006467-oath-hotp-yubico-best-practices-guide
+
 Download and Launch the YubiKey Personalization Tool
 ----------------------------------------------------
 
@@ -77,13 +79,15 @@ choose a location to save the log file. When the configuration is
 done, you should see green text saying **YubiKey configured** at the
 top of the window.
 
+|YubiKey config successful|
+
 Adding Users
 ------------
 
 When adding new users, a SecureDrop admin will need the
 **Secret Key** value described above. She will enter it after
 selecting the **I'm Using a YubiKey** option while :ref:`adding users
-<Adding Users>`.
+<Adding Users>`. The new user will then have to verify their YubiKey before being added to the system. This means that the new user and the admin should be physically proximal for this process.
 
 Using Your YubiKey
 ------------------
@@ -95,7 +99,8 @@ cursor there. Quickly press the lighted button on your YubiKey. This
 will insert the 6-digit code that you will need to log in.
 
 .. note:: When using **Configuration Slot 2**, be sure to press and hold
-          the YubiKey button for approximately 3 seconds.
+          the YubiKey button for approximately 3 seconds. This can be somewhat finicky.
 
 .. |YubiKey Overview| image:: images/yubikey_overview.png
 .. |YubiKey Config| image:: images/yubikey_oath_hotp_configuration.png
+.. |YubiKey Config Successful| image:: images/yubikey_configuration_successful.png