[WIP] Overhaul Transfer Device and export recommendations

Resolves #4620
Resolves #4646
Resolves #4434

docs/glossary.rst

@@ -149,21 +149,20 @@ authentication for devices. We recommend using one of:
 
 Transfer Device
 ---------------
-
-The *Transfer Device* is the physical media used to transfer encrypted
-documents from the *Journalist Workstation* to the *Secure Viewing
-Station*. Examples: a dedicated USB stick, CD-R, DVD-R, or SD card.
-
-If you use a USB stick for the *Transfer Device*, we recommend using a
-small one (4GB or less). It will be necessary to securely wipe the entire
-device at times, and this process takes longer for larger devices.
-
-Depending on your threat model, you may wish to only use one-time-use
-media (such as CD-R or DVD-R) for transferring files to and from the
-*SVS*. While doing so is cumbersome, it reduces the risk of malware (that
-could be run simply by opening a malicious submission) exfiltrating
-sensitive data, such as the private key used to decrypt submissions or
-the content of decrypted submissions.
-
-When we use the phrase "sneakernet" we mean physically moving documents
-with the *Transfer Device* from one computer to another.
+The *Transfer Device* is the physical media (e.g., designated USB drive) used
+to  transfer encrypted documents from the *Journalist Workstation* to the
+*Secure Viewing Station*. Both computers run the Tails operating system
+
+Please see the detailed security recommendations for the choice, configuration
+and use of your *Transfer Device* in the :doc:`journalist guide <journalist>`
+and in the :doc:`setup guide <set_up_transfer_and_export_device>` .
+
+Export Device
+-------------
+The *Export Device* is the physical media (e.g., CD-Rs) used to transfer
+decrypted documents from the *Secure Viewing Station* to a journalist's everyday
+workstation, or to another computer for additional processing.
+
+Please see the detailed security recommendations for the choice, configuration
+and use of your *Export Device* in the :doc:`journalist guide <journalist>`
+and in the :doc:`setup guide <set_up_transfer_and_export_device>` .

docs/index.rst

@@ -32,7 +32,7 @@ anonymous sources.
    before_you_begin
    set_up_tails
    set_up_svs
-   set_up_transfer_device
+   set_up_transfer_and_export_device
    generate_submission_key
    set_up_admin_tails
    network_firewall

docs/set_up_transfer_and_export_device.rst

@@ -0,0 +1,187 @@
+Set Up the *Transfer Device* and the *Export Device*
+====================================================
+
+Journalists copy submissions from their *Journalist Workstation* to the
+*Secure Viewing Station* using the *Transfer Device*.
+
+For exporting submissions from the *Secure Viewing Station*, we recommend using
+a secure printer or a similar analog conversion process wherever possible. For
+cases where an electronic file transfer is necessary, we recommend setting up
+an *Export Device*, separate from the *Transfer Device*.
+
+.. important::
+
+   **Understand the security risks of working with files in digital form**
+
+   After downloading a submission on the *Journalist Workstation*, a journalist
+   will copy it to the *Transfer Device* and carry it to the air-gapped
+   *Secure Viewing Station*. If the journalist later copies the decrypted file
+   in its original form to an Internet-connected computer, they may expose
+   themselves, their colleagues, or their sources to significant risks, e.g.:
+
+   - A submission may be infected with malware targeting your newsroom.
+
+   - If your *Secure Viewing Station* has not been updated in a while, it may have
+     software vulnerabilities an attacker can exploit, e.g., to exfiltrate the
+     *Submission Private Key* alongside a legitimate submission.
+
+   - The submission may contain metadata identifying the source which has not
+     yet been cleaned up.
+
+   These risks are not specific to SecureDrop. They're inherent in dealing with
+   tips sent in digital form.
+
+   This is why we place the strongest emphasis on always picking the most secure
+   available export method for a given submission. Printing documents or
+   re-recording audio and video files can eliminate most categories of malware
+   and metadata (`QR code malware <https://securedrop.org/news/security-advisory-do-not-scan-qr-codes-submitted-through-securedrop-connected-devices/>`__
+   and `tracking dots <https://en.wikipedia.org/wiki/Machine_Identification_Code>`__
+   being the most notable exceptions).
+
+   If and when you do need to copy decrypted files in electronic form, the
+   recommendations below are intended to establish a baseline of security.
+   Please consider these recommendations in the context of your own threat
+   model, and do not hesitate to contact us via securedrop@freedom.press
+   (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__)
+   if we can help.
+
+Choose media types and encryption
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+You will need to decide what storage media to use for the *Transfer Device* and
+the *Export Device*, and which encryption scheme to apply to each device. There
+are many options to consider: USB flash drives, write-once media like CD-Rs and
+DVD-Rs, external hard drives, and so on.
+
+The following recommendation is intended to balance security, usability and cost
+considerations, and you may want to modify it based on your threat model:
+
+- Use USB flash drives for both the *Transfer Device* and the *Export Device*.
+
+- Encrypt the *Transfer Device* using LUKS, which works in the Tails environment
+  and in other Linux environments.
+
+- Encrypt the *Export Device* using VeraCrypt, which works across platforms.
+
+- Optionally, purchase a hardware USB `write blocker <https://www.forensicswiki.org/wiki/Write_Blockers>`__
+  as used in forensics, and enforce its usage whenever the *Export Device* is
+  attached to an Internet-connected workstation. This ensures that malware
+  cannot spread from infected computers in your network to the *Secure Viewing
+  Station*.
+
+If you follow this recommendation, it is important that the contents of the
+*Transfer Device* and the *Export Device* are always wiped after a copy operation
+is completed.
+
+Write-once media like CDs and DVDs can be a reasonable alternative to this
+setup. If you implement a workflow based on CDs or DVDs, it is crucial that they
+are destroyed immediately after use. While shredders are available at a
+relatively low cost, those built to the highest standards of data destruction
+sell in the $2,500 to $3,000 price range as of 2019.
+
+Decide how to manage encryption passphrases
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Because files are copied between multiple computers, KeePassX in Tails is not
+necessarily the most convenient option for managing the encryption passphrases for
+your *Transfer Device* or your *Export Device*. While Tails itself gives you the
+option to "remember" passphrases, this option does not work across reboots.
+
+A simple alternative is to make sure that every journalist stores the
+*Transfer Device* and *Export Device* passphrases in their own password manager,
+which ideally will synchronize to their mobile phone. See the Freedom of the
+Press Foundation guide for `choosing a password manager <https://freedom.press/training/blog/choosing-password-manager/>`__
+if you are not currently using one.
+
+USB *Transfer Device* Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The easiest and recommended option for a *Transfer Device* is a USB
+drive. If you have a large team of journalists you may want to :doc:`create
+several <onboarding>` of these. Here we'll just walk through
+making one *Transfer Device* [#]_.
+
+Create a USB *Transfer Device*
+------------------------------
+
+.. note:: This process will destroy all data currently on the drive.
+
+First, label your USB drive “SecureDrop Transfer Device”.
+
+On the *Secure Viewing Station*, open the
+**Applications** menu in the top left corner and select
+**Utilities** then |Disk Utility icon| **Disks**:
+
+|screenshot of the Applications menu in Tails, highlighting Disk
+Utility|
+
+Connect your *Transfer Device* then pick your device in the menu on
+the left. Since we're going to destroy all the data on this drive, it's
+important that you pick the right drive. It should be named something
+that sounds similar to the manufacturer's label on the outside of the
+drive, and it will only appear after you plug it in. Double check that
+you have clicked on the correct drive:
+
+|screenshot of Disk Utility application|
+
+Once you're sure you have the right drive, click the interlocking gears, then
+**Format Partition...**.
+
+.. note:: If there are multiple existing partitions on the drive, you should
+          first click the "-" icon on the left of the interlocking gears icon to
+          delete each partition, and then create another partition that fills
+          all free space with the options as shown below.
+
+|screenshot of the menu to create a new partition in the Disk Utility
+application|
+
+Give the partition on your *Transfer Device* a descriptive name
+like “Transfer Device” and select the options as in the following screenshot:
+
+|screenshot of passphrase selection prompt in the Disk Utility
+application|
+
+As noted earlier, this passphrase should be stored in the password manager of
+every user who will copy files using the *Transfer Device*, not in KeePassX.
+
+After typing in the passphrase, click **Format** to continue. The Disks utility
+will ask you if you are sure: click **Format** to continue. After a few seconds,
+your new *Transfer Device* should be ready for use. If you haven't already, make
+sure to label it.
+
+.. |Disk Utility icon| image:: images/icons/disk-utility.png
+.. |screenshot of the Applications menu in Tails, highlighting Disk Utility| image:: images/screenshots/applications_accessories_disk-utility.png
+.. |screenshot of Disk Utility application| image:: images/screenshots/disk-utility.png
+.. |screenshot of the menu to create a new partition in the Disk Utility application| image:: images/screenshots/create-partition.png
+.. |screenshot of passphrase selection prompt in the Disk Utility application| image:: images/screenshots/create-passphrase.png
+
+.. [#] Tails screenshots were taken on Tails 3.0.1. Please make an issue on
+       GitHub if you are using the most recent version of Tails and the
+       interface is different from what you see here.
+
+*Export Device* Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+We recommend using a fully encrypted USB drive for moving files off the
+*Secure Viewing Station*. This is even more important than for the
+*Transfer Device*, as the risk of accidentally leaving decrypted files on the
+*Export Device* is significant.
+
+Because the *Export Device* will need to be mounted on both Tails and the
+journalist's everyday workstation, you will need to use an encryption scheme
+that works on both operating systems.
+
+This is the case for many hardware-encrypted USB drives. When considering
+a hardware solution, we recommend selecting a vendor that has fully opened
+the source code and specifications of their devices and encouraged third party
+audits.
+
+VeraCrypt is a good alternative to hardware-based encryption. It is actively
+maintained cross-platform software that has been independently audited and is
+free to use.
+
+VeraCrypt-encrypted media can be opened in the Tails operating system without
+installing additional software. However, to *create* your encrypted VeraCrypt
+drive in the first place, you will need to install the VeraCrypt software. The
+`guide by Freedom of the Press Foundation <https://freedom.press/training/encryption-toolkit-media-makers-veracrypt-guide/>`__
+provides instructions for encrypting storage media using VeraCrypt.
+
+As with the *Transfer Device*, we recommend storing the passphrase in the
+password manager of each user who will use a given *Export Device*.