diff --git a/.circleci/config.yml b/.circleci/config.yml
index c4760cdaf1..9b192dc056 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -124,6 +124,9 @@ jobs:
       - store_artifacts:
           path: /root/sd/raw-test-output
 
+      - store_artifacts:
+          path: /root/sd/.tor_version
+
 workflows:
   version: 2
   securedrop_ci:
diff --git a/molecule/aws/securedrop_test.pub b/molecule/aws/securedrop_test.pub
new file mode 100644
index 0000000000..2fa2b65fe8
--- /dev/null
+++ b/molecule/aws/securedrop_test.pub
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFhPGZsBCACzn00s3+i5HdGIldDGYXxY2HKL9Qhk0DhiRrNPaQemhNijuFlC
+geCeKN/smDAUyM5mfEoxmWy3V7n8SEQUpqI4dIS2AohReLkyKEKiIpTuXW7F9kO3
+vcXHgrTka+8B4ZQxDuTHNFJLmBwJnP24LrL6BzkDIUNeQFwM0EFTDOJlW1QV6qkm
+9WGizo2sR0VBJJabfRWrTWd8llYOVcc+LptErVNADPaX6iqb+QnZVJ/nYmCTgABj
+lD3aZ4EPZ+ioVOcOxbgBkAX76COObUUw/XahBGwj4fJ5kyzvDSBCHHlRzN39LKpM
+Y+HfSc1scAOWN+Dd0N/joIa0j0U4SGHo1NdzABEBAAG0MVNlY3VyZURyb3AgVEVT
+VElORyBrZXkgPHNlY3VyZWRyb3BAZnJlZWRvbS5wcmVzcz6JAU4EEwEIADgWIQRO
+15zDNi19EoNwRgJKO+SpIhGwPAUCWE8ZmwIbAwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgAAKCRBKO+SpIhGwPCb9B/9SuVoxbe3nLlU0bHDQtoq5P7adyTZK+5gKIiAo
+mtAkc/EuiF6jYIDLo+DBB1GBJVjyD5igTt14XR3JpMe6nLtztD5zgGk47gYQk3y5
+6f5ydd7zRo9OxulRYDvU1mXMUc0EmqfzuSxY55HJy5KQvjeKIU0fTvwbPYXdhFCC
+42iyBIkp4e4/C5oO4lNrNY2DJEZ+a8H5LHasJ4g9A78f/D5q0HWO1HutzfDeiMvq
+WFwlGMD2OzTEQA2MGlVRIYvLHAG1aV9fXY8kjCFT8ri5hxlQeTkKISfbW3pFSq6s
+Ow4r975zWLTPJNm+WTbBpfIOFBVAW34EHkcb/QmntlvqkNM+uQENBFhPGZsBCAC4
+VEtCQEuZ3WzCNL/0yQFih1EjT/AsS3j3++xvSOYWF+c7AjR9X0MkJFTnUZBHs6MX
+PM33bbkWbBBE2ILdDCEF72Uc5HyyC2lW2DvPY9ZLVSGcMCUsKARv5rbeNdgiLVP5
+8AMkmG48q0Pxrr6UVX14M34Jm5G91c/dj9zHtVwkLg4RG/rcumQdlpQhNmMycB2X
+lat48atmEkutfLEQizXIlgiCdNEpgfUBy/jZZcCOjwr8PUPmSUWjKOVMv6CSLx8K
+z2cP4We7tyq4qhc0cWjJOWOmJpu5tbmi6XEEWGaIJyN+POhHEcb0tI1rTJ88nrMb
+DI/NF/35kuWIIkADOb2vABEBAAGJATYEGAEIACAWIQRO15zDNi19EoNwRgJKO+Sp
+IhGwPAUCWE8ZmwIbDAAKCRBKO+SpIhGwPC3fB/0TfuScS718FiEcVRI3F2wBbzTQ
+VARhGzEvPSU5Z3Cur/EB8ihpWvwi39tUMeg5HTheDl/8A7f1QCjIFSVEr1slGNLh
+YFF07XGWhy837z6kiihK2z6/w6Q9QJqjE+QVZCKr97aIPejvEoHoslZTU5pJ52qF
+J7KQd1hEvVs00DxY6VlyK0FzXqByKYq6Arl2tzlCZ6RPEHKXV2xSP06jLEagzgYe
+DylVo9Xahenj4n/Mtq7Am6tGgU9Vy9cGbWNBdUND/mFQEEZSh9RJabPeluH12sir
+5/tfsDr4DGHSz7ws+5M6Zbk6oNJEwQZ4cR+81qCfXE5X5LW1KlAL8wDl7dfS
+=fYUi
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/molecule/aws/side_effect.yml b/molecule/aws/side_effect.yml
index bd5c3683e3..6c917dedad 100755
--- a/molecule/aws/side_effect.yml
+++ b/molecule/aws/side_effect.yml
@@ -9,6 +9,14 @@
     # WHEN REINSTATING REBOOT
     - include: reboot_and_wait.yml
       when: "false"
+    - include: tor_apt_test.yml
+      when: (lookup('env','CIRCLE_BRANCH')|default('na')).startswith('release')
+  handlers:
+    - name: update tor
+      apt:
+        name: tor
+        state: latest
+        update_cache: yes
 
 - name: Setup junit env first
   hosts: localhost
diff --git a/molecule/aws/tor_apt_test.yml b/molecule/aws/tor_apt_test.yml
new file mode 100644
index 0000000000..ad485cba46
--- /dev/null
+++ b/molecule/aws/tor_apt_test.yml
@@ -0,0 +1,39 @@
+---
+- name: Add apt SD test public key
+  apt_key:
+    data: "{{ lookup('file','securedrop_test.pub') }}"
+    state: present
+
+- name: Temporary fix for GH issue 2938
+  file:
+    state: absent
+    path: "/etc/apt/sources.list.d/tor_apt_freedom_press.list"
+
+- name: Switch apt repo URLs to staging.
+  replace:
+    dest: "/etc/apt/sources.list.d/tor.apt.freedom.press.list"
+    replace: "tor-apt-test.freedom.press"
+    regexp: '//tor-apt\.freedom\.press'
+  ignore_errors: "yes"
+  notify: update tor
+
+- name: Force possible tor update
+  meta: flush_handlers
+
+- name: Squash testinfra failure for packages needing update
+  apt:
+    upgrade: safe
+
+- name: Extract latest tor version
+  shell: |
+    apt-cache policy tor | sed -e 's/^\s*Installed:\ \(\S*\)/\1/g;tx;d;:x'
+  changed_when: false
+  register: extract_tor_version
+
+- name: Dump Tor version to file (for reporting)
+  copy:
+    dest: "{{ playbook_dir }}/../../.tor_version"
+    content: "{{ extract_tor_version.stdout }}"
+  delegate_to: localhost
+  run_once: true
+  become: "no"
diff --git a/testinfra/common/test_tor_mirror.py b/testinfra/common/test_tor_mirror.py
index 85c0c646e8..4d5b187a01 100644
--- a/testinfra/common/test_tor_mirror.py
+++ b/testinfra/common/test_tor_mirror.py
@@ -1,6 +1,10 @@
+import os
 import pytest
 
 
+@pytest.mark.skipif(
+        os.environ.get('CIRCLE_BRANCH', 'na').startswith('release'),
+        reason="Release branches will use tor-apt-test repo")
 def test_tor_mirror_present(host):
     """
     Ensure the FPF mirror of the Tor apt repo, tor-apt.freedom.press,