SecureDrop Workstation 1.7.0 is now available! This is the first release supporting Qubes 4.3, and it brings a host of new features that will improve journalists’ experience and increase security.
This release only supports Qubes 4.3, and is only intended for immediate use on fresh SecureDrop Workstation installs. For existing 4.2-based installations, a migration guide will be provided alongside a forthcoming release, which will enable in-place migrations. Please do not attempt to upgrade a Qubes 4.2-based installation until SecureDrop Workstation 1.6.1 is available.
We’ve highlighted the most important changes below; the full list can be found in the changelog.
If you encounter any bugs or issues, please contact SecureDrop support via Signal, so we can make sure to address them.
Faster opening of files
Opening a file will now be at least twice as fast, thanks to preloaded Virtual Machines. Documents are opened in disposable VMs for security; previously, this meant journalists needed to wait until the VM fully started before viewing the document. Now, Qubes will preload the VM so it’s partially ready for whenever a document is opened.
In-place upgrade
For the first time in SecureDrop Workstation history, moving to a new major Qubes release does not require a full reinstall on a new copy of Qubes. Instead, users can complete a manual in-place upgrade to move to the new version without needing to step through reprovisioning SecureDrop Workstation, or redownloading submissions inside of SecureDrop Inbox.
Less persistence in VMs
Historically, Qubes only had one option for persistence: Either the whole VM is persisted or nothing is. Qubes 4.3 introduced a middle ground with “custom-persist,” which lets us limit persistence to specific directories. If an attacker is somehow able to gain the access to write files, they’ll have a much smaller attack surface to persist their exploit.
Improved isolation from physical devices
Thanks to a new devices API, we can now guard against accidentally connecting a USB device to a VM that could compromise the security of the Workstation. Now, you are only able to add devices within the sd-devices and sd-printers VMs.
Other general improvements
Qubes 4.3 comes with a lot of other smaller UI/UX improvements, including a nicer screen saver and flat icons for Qubes-specific GUI tools. You can read more on the Qubes 4.3 release notes.
Acknowledgments
A big thank you to the Qubes Team and community for all the improvements that have gone into Qubes 4.3. Freedom of the Press Foundation (FPF) is proud to financially sponsor the Qubes OS project.
This release incorporates FPF contributions by Giulio B; Martin C; Nathan Dyer, communications manager; Micah Lee; Kunal Mehta, release manager; Cory Francis Myers; Vicki Niu; Kevin O’Gorman; Francisco Rocha, deputy release manager; Conor Schaefer; John Skinner; and Rowen S.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via Signal, either in your dedicated SecureDrop Support group, or by contacting the support account listed at securedrop.org/help/.
- Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd.
We also encourage you to file nonsensitive issues via our GitHub repository.
Thank you for using SecureDrop!