In March, Freedom of the Press Foundation will begin to pilot SecureDrop Workstation for Qubes OS with select news organizations. The goal of the project is to make the SecureDrop experience more intuitive, and to decrease the time-on-task for journalists, without compromising security.
With SecureDrop Workstation, journalists can use a single integrated computer to review messages and documents submitted by sources via SecureDrop, and to reply to them.
We’re deeply grateful to Freedom of the Press Foundation’s friends and supporters for making this project possible, including the Mozilla Open Source Support Awards and our individual donors. We’d also like to thank the Qubes OS development team for all their help with this project.
SecureDrop Workstation is based on Qubes OS, a desktop-based distribution of Xen. Instead of transferring documents on physical media (e.g., a USB drive) to an air-gapped Secure Viewing Station, journalists using SecureDrop Workstation will be able to download and review documents on the same physical computer, using Virtual Machines (VMs) instead of physical machines for compartmentalization.
The user experience of a journalist is similar to using a messaging app:
The SecureDrop desktop app has no direct Internet access; it can only communicate with the SecureDrop server. Encryption keys are managed in a non-networked VM, and are not directly exposed to the desktop app. Documents are opened in disposable, non-networked VMs, and VMs are hardened using a custom Linux kernel with the grsecurity patches.
In November 2018, a first alpha release of SecureDrop Workstation underwent an independent security audit supported by the OTF Red Team Lab (which uncovered no medium-risk, high-risk, or critical-risk issues), and we have made many improvements to the software since then.
Through the next 4 months, we will be facilitating the production use of SecureDrop Workstation by select partner organizations. The goal of the pilot is to determine whether we’re on the right track to meet journalists’ needs, and if so, to use findings from newsroom use to prioritize continued development.
SecureDrop Workstation can be used with any SecureDrop installation; it only requires a dedicated laptop running Qubes OS. Beyond making SecureDrop easier to use, Qubes provides a secure technical foundation that could be used to integrate other tools that are used for tiplines and for collaboration with other journalists (e.g., Signal, OnionShare).
If you’d like to read a more detailed description of the motivation for this project, an overview of its architecture, and the security countermeasures that have been applied in its initial beta release, a security whitepaper is available here (PDF).
The scope of our existing bug bounty program has been expanded to include SecureDrop Workstation. Security researchers can now also receive rewards up to $2,500 by demonstrating attacks on SecureDrop Workstation. Attacks on QubesOS are considered in-scope if they can be used to attack SecureDrop Workstation.
We are excited about this potential new chapter in the history of the SecureDrop project. We will post further information about the pilot once it concludes. While we’re not able to accept new pilot organizations at this point, we welcome participation in testing and development.
The SecureDrop Workstation project has been developed in the open from the beginning. If you would like to get involved as a developer, you have several options depending on the resources available to you. To run the full workstation, you will require two things:
- A non-production SecureDrop instance, either on hardware or virtualized
- A workstation capable of running Qubes OS 4 (32 GB RAM recommended)
If you can satisfy these requirements, getting the prototype running should be a matter of following the README (using the dev environment).
If you do not have a workstation available for Qubes OS, but would like to work on the SecureDrop client application, you can find a guide to getting started in its repository’s README. The application is written in Python using PyQt5.
If you’re unsure about which issues to work on, come find us in our Gitter chat room or the community forums. The same venues are great places for any questions or comments about this project. You are also welcome to contact the SecureDrop team at firstname.lastname@example.org (GPG key) or through our Support Portal, if you have an account.