freedomofpress/securedrop-workstation#533 implements an approach to permit copy & paste and log export via tagged VMs. This is intended to help us gain insights during the pilot about what changes to the default VM configuration and RPC policies may be ultimately desirable.
Because no VMs have the sd-send-clipboard, sd-receive-clipboard or sd-receive-logs tags by default, we need to document our initial recommendations for the use of these tags. For now, my thinking is:
- Add a recommendation to the install docs to add
sd-send-clipboard to the existing vault VM if and only if the organization intends to use KeePassX in vault to store SecureDrop login credentials.
- Add a recommendation to the install docs to add
sd-receive-logs to work (or another similar VM) so that it can be used for sharing selected logs, after inspection and redaction in sd-log.
- Add a section to the Admin Guide "Managing clipboard access" that goes into further detail about the use of the clipboard, the security risks (including opsec), and the process for whitelisting access for select VMs.
- Update the FAQ entry about clipboard access accordingly.
freedomofpress/securedrop-workstation#533 implements an approach to permit copy & paste and log export via tagged VMs. This is intended to help us gain insights during the pilot about what changes to the default VM configuration and RPC policies may be ultimately desirable.
Because no VMs have the
sd-send-clipboard,sd-receive-clipboardorsd-receive-logstags by default, we need to document our initial recommendations for the use of these tags. For now, my thinking is:sd-send-clipboardto the existingvaultVM if and only if the organization intends to use KeePassX invaultto store SecureDrop login credentials.sd-receive-logstowork(or another similar VM) so that it can be used for sharing selected logs, after inspection and redaction insd-log.