Open deeplow opened 4 months ago
Initial questions from discussion elsewhere related to possibly mirroring and installing veracrypt in an SDW VM:
deb
's install scripts and behaviour to ensure it plays nice with Qubes and doesn't do anything surprising given elevated privileges at install?I'm not sure if anyone has before, but we could also look into tcplay, which is already packaged in Debian and doesn't have the same licensing issues.
I'm not sure if anyone has before, but we could also look into tcplay, which is already packaged in Debian and doesn't have the same licensing issues.
It looks like it's not actively maintained and CLI-only though. Other questions notwithstanding, Veracrypt is has a relatively recent version and a GUI.
If we manage to deal with the licensing issues and agree with getting VeraCrypt in, I'd like to propose the solution of provisioning the USB under the hood our recommended defaults, requiring only the user to enter the passphrase.
Description
At the moment export devices have to be provisioned outside of the workstation. Ideally the user can do so from sd-devices.
How will this impact SecureDrop/SecureDrop Workstation users?
Improved SecureDrop usability since users don't have to figure out how to install VeraCrypt.
How would this affect the SecureDrop Workstation threat model?
We are adding another program to the templates (if we are doing that). Veracrypt is not available on the repos, which adds complexity. Some of these risks may be mitigated by installing this on boot on a disposable qube.
User Stories