Through the last year, the Freedom of the Press Foundation (FPF) has sponsored the development of a prototype for an integrated SecureDrop Workstation based on Qubes OS. Thanks to the work of developer Joshua Thayer, we now have a working prototype that combines the Journalist Workstation and Secure Viewing Station into a single device.
SecureDrop’s architecture is well-tested, but it is not without its disadvantages. In particular, the requirement to manually transfer files with a USB drive or CD-R to an air-gapped viewing station makes checking SecureDrop and communicating with sources burdensome, and carries its own operational security risks.
Qubes OS, which is free and open source software, uses Xen virtualization to separate applications and processes into different security domains. For example, a user could choose to browse the web in a “personal” domain, access her bank account in a “money” domain, and write code with privileged hardware access in a “work” domain.
Different domains can run different operating systems and have different privileges. For example, a domain can be denied all Internet connectivity and external device access.
In the SecureDrop Workstation prototype, a Whonix domain is used for connecting to the Journalist Interface via Tor as usual. Downloaded documents are decrypted using Split GPG and then transferred to an offline domain. The actual display is handled by disposable VMs, so a security exploit of a file viewer application cannot be used to directly gain access to other data, nor can it persist across sessions.
The SecureDrop Workstation prototype, showing a decrypted document and message in a disposable virtual machine.
What's next?
We regard the current prototype as a proof-of-concept that an integrated workstation can be built on top of Qubes OS. However, there is still a lot of work to be done:
We need to complete the development of a detailed threat model for this architecture, taking into account risks such as theft of the workstation, security vulnerabilities in the Xen hypervisor, and vulnerabilities in Qubes OS itself.
Based on the threat model analysis, we will perform additional hardening of the prototype.
We need to refine the user experience and get the code to production quality, including a strategy for software updates. In partnership with the SecureDrop volunteer UX community, we are currently undertaking user research to inform this work.
We have to complete work on a basic server-side API, which will enable the Qubes client to retrieve documents without the use of the web interface.
Before any production use, we must obtain a third party security audit and address any issues that it uncovers.
Provided we encounter no showstopper issues in this process, we anticipate that we’ll be able to pilot the workstation with select news organizations in late 2018/early 2019.
We welcome experiments with alternative approaches solving for the challenges identified above, and will ultimately evaluate the Qubes OS approach both against the current architecture, and against alternative implementations.
We fully recognize that the transition to a new user interface and a new operating system represents a significant potential burden for SecureDrop users. Should we decide to move forward with this transition, we will manage it carefully, in close coordination with the global SecureDrop community.
Our ultimate goal is an improved user experience that makes SecureDrop much easier to use for journalists while preserving and enhancing security properties consistent with the threat model of news organizations. We are also optimistic that Qubes OS could play an increasingly important role in high-stakes security contexts of journalistic work, beyond the SecureDrop workflow.
In recognition of this strategic potential, we have decided to become a Qubes OS Partner, and to coordinate with the Qubes OS team as we tackle the next steps in this process.
Getting involved
Running the workstation prototyping may seem daunting, but it really only requires two things:
A non-production SecureDrop instance, either on hardware or virtualized
A workstation capable of running Qubes OS 4 (e.g., the 5th Gen X1 Carbon, the laptop used by Qubes developers — 16 GB RAM recommended)