Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[0.12.1] Backport docs changes #4264

Merged
merged 3 commits into from
Mar 14, 2019
Merged

[0.12.1] Backport docs changes #4264

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
71e89cc
Ubuntu 16.04.6 iso has updated apt version
emkll Mar 6, 2019
18e8804
updated Xenial version references to 16.04.6 as per #4324
zenmonkeykstop Mar 6, 2019
2cbdfe1
[docs] Make it clearer that key generation must be done on the SVS
eloquence Mar 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion docs/generate_securedrop_application_key.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,16 @@ of this key is only stored on the *Secure Viewing Station* which is never
connected to the Internet. SecureDrop submissions can only be decrypted and
read on the *Secure Viewing Station*.

We will now generate the *SecureDrop Submission Key*.
We will now generate the *SecureDrop Submission Key*. If you aren't still
logged into your *Secure Viewing Station* from the previous step, boot it using
its Tails USB stick, with persistence enabled.

.. important:: Do not follow these steps before you have fully configured the
*Secure Viewing Station* according to the :doc:`instructions <set_up_svs>`.
The private key you will generate in the following steps is one of the most
important secrets associated with your SecureDrop installation. This procedure
is intended to ensure that the private key is protected by the air-gap
throughout its lifetime.

Create the Key
--------------
Expand Down
27 changes: 13 additions & 14 deletions docs/servers.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,17 @@ Set Up the Servers
Install Ubuntu
--------------

.. caution:: As of this writing (2019-02-26), Ubuntu ISO images ship a version of
the `apt` package that is vulnerable to CVE-2019-3462. The SecureDrop installer
has mitigations in place to ensure the package is safely upgraded. We
recommend you perform the initial Ubuntu install on servers that do not have
Internet connectivity.
.. caution:: Please ensure you are using Ubuntu Xenial ISO images 16.04.6 or greater.
Ubuntu Xenial ISO images 16.04.5 and lower ship with a version of the `apt` package
vulnerable to CVE-2019-3462. If you are using 16.04.5 or lower, the initial base OS
must be installed without Internet connectivity.

.. note:: Installing Ubuntu is simple and may even be something you are very familiar
with, but we **strongly** encourage you to read and follow this documentation
exactly as there are some "gotchas" that may cause your SecureDrop set up to break.

The SecureDrop *Application Server* and *Monitor Server* run **Ubuntu Server
16.04.5 LTS (Xenial Xerus)**. To install Ubuntu on the servers, you must first
16.04.6 LTS (Xenial Xerus)**. To install Ubuntu on the servers, you must first
download and verify the Ubuntu installation media. You should use the *Admin
Workstation* to download and verify the Ubuntu installation media.

Expand All @@ -28,7 +27,7 @@ Download the Ubuntu Installation Media
The installation media and the files required to verify it are available on the
`Ubuntu Releases page`_. You will need to download the following files:

* `ubuntu-16.04.5-server-amd64.iso`_
* `ubuntu-16.04.6-server-amd64.iso`_
* `SHA256SUMS`_
* `SHA256SUMS.gpg`_

Expand All @@ -44,16 +43,16 @@ Alternatively, you can use the command line:
.. code:: sh

cd ~/Persistent
torify curl -OOO http://releases.ubuntu.com/16.04.5/{ubuntu-16.04.5-server-amd64.iso,SHA256SUMS{,.gpg}}
torify curl -OOO http://releases.ubuntu.com/16.04.6/{ubuntu-16.04.6-server-amd64.iso,SHA256SUMS{,.gpg}}

.. note:: Downloading Ubuntu on the *Admin Workstation* can take a while
because Tails does everything over Tor, and Tor is typically slow relative
to the speed of your upstream Internet connection.

.. _Ubuntu Releases page: http://releases.ubuntu.com/
.. _ubuntu-16.04.5-server-amd64.iso: http://releases.ubuntu.com/16.04.5/ubuntu-16.04.5-server-amd64.iso
.. _SHA256SUMS: http://releases.ubuntu.com/16.04.5/SHA256SUMS
.. _SHA256SUMS.gpg: http://releases.ubuntu.com/16.04.5/SHA256SUMS.gpg
.. _ubuntu-16.04.6-server-amd64.iso: http://releases.ubuntu.com/16.04.6/ubuntu-16.04.6-server-amd64.iso
.. _SHA256SUMS: http://releases.ubuntu.com/16.04.6/SHA256SUMS
.. _SHA256SUMS.gpg: http://releases.ubuntu.com/16.04.6/SHA256SUMS.gpg

Verify the Ubuntu Installation Media
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expand Down Expand Up @@ -87,13 +86,13 @@ Verify the ``SHA256SUMS`` file and move on to the next step if you see

The next and final step is to verify the Ubuntu image. ::

sha256sum -c <(grep ubuntu-16.04.5-server-amd64.iso SHA256SUMS)
sha256sum -c <(grep ubuntu-16.04.6-server-amd64.iso SHA256SUMS)


If the final verification step is successful, you should see the
following output in your terminal. ::

ubuntu-16.04.5-server-amd64.iso: OK
ubuntu-16.04.6-server-amd64.iso: OK

.. caution:: If you do not see the line above it is not safe to proceed with the
installation. If this happens, please contact us at
Expand Down Expand Up @@ -121,7 +120,7 @@ Ubuntu installer.
If your USB is mapped to /dev/sdX and you are currently in the directory that
contains the Ubuntu ISO, you would use dd like so: ::

sudo dd conv=fdatasync if=ubuntu-16.04.5-server-amd64.iso of=/dev/sdX
sudo dd conv=fdatasync if=ubuntu-16.04.6-server-amd64.iso of=/dev/sdX

.. _install_ubuntu:

Expand Down