SecureDrop Advisory: End-of-life for v2 onion services and Ubuntu 16.04

January 26, 2021

PLEASE NOTE: If you missed the April 30, 2021 migration, we strongly recommend that you reinstall SecureDrop. Please get in touch if you require assistance. Freedom of the Press Foundation is happy to provide support.

SecureDrop administrators and users should be aware of two critical migrations that are required to keep SecureDrop instances online:

Migration to Ubuntu 20.04: The operating system used on the Application Server and Monitor Server, Ubuntu 16.04, will no longer receive security updates after April 30, 2021. SecureDrop instances must migrate to Ubuntu 20.04, which will receive security updates until 2025, before April 30, 2021. We recommend scheduling a two-day maintenance window to complete this migration.
V3 onion services: Any SecureDrop instance still using 16-character v2 .onion addresses must move to v3 onion services; there is a workflow that allows administrators to combine this change with the Ubuntu 20.04 migration. SecureDrop 1.8.0 was the first release to begin eliminating support for v2 onion services, and support will be completely dropped in a future release.

Please be aware that, due to the .onion address change, this migration involves an update to your landing page, and should be coordinated with journalists to avoid disruption of source communications.

If you are a journalist using SecureDrop, and you are unsure whether your newsroom is planning for these time-sensitive migrations, we encourage you to check in with your administrator. If you would like to get help from the SecureDrop team, please do not hesitate to reach out via the support portal (if you have an account) or via our contact form.

What administrators need to do

Migration to Ubuntu 20.04

This migration requires physical access to your SecureDrop servers. At a high level, it involves the following steps:

Backing up your instance
Installing Ubuntu 20.04 on new or existing hardware and configuring SSH access
Importing the old configuration on the Admin Workstation (disabling v2 onion services if applicable)
Running the installation playbook
Restoring your server backup
Restoring Admin Workstation access

Please see our migration guide for details.

Migration from v2 to v3 onion services

If you haven’t migrated to v3 onion services yet, follow our suggested workflow to combine this change with the migration to Ubuntu 20.04.

Please note that once you are on v3, you may be eligible to register a human-readable onion name for your SecureDrop instance.

Updated 2021-02-11: Release date for SecureDrop 1.8.0 moved to March 9, 2021.

Updated 2021-03-11: Updated per release of SecureDrop 1.8.0.

Updated 2021-03-26: Updated to clarify that instances still running v2 onion services may combine their onion services upgrade and operating system upgrade by following our alternate migration procedure.

Updated 2022-01-26: Added notice to recommend reinstall for organizations who missed the migration window.

Have a document to share?

You are not anonymous while using this browser!

Your Tor security settings are too low!

Set your Tor security level to "Safest" for maximum protection