Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update documentation for Qubes 4.1 #112

Merged
merged 6 commits into from
Jul 11, 2022
Merged

Update documentation for Qubes 4.1 #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6e56b96
Update documentation for Qubes 4.1
eloquence Jul 7, 2022
aca0c5e
Use 4.1.0 consistently
eloquence Jul 7, 2022
3f4501c
Fix some order of operations issues
eloquence Jul 7, 2022
ed667e7
Add instructions for creating and using fedora-36-dvm
eloquence Jul 8, 2022
7b8edcf
Recommend infinite scrollback
eloquence Jul 8, 2022
69ec8eb
Expand on USB troubleshooting; release key confirmation step
eloquence Jul 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 29 additions & 29 deletions docs/admin/backup.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,22 @@ Backup and Restore

.. include:: ../includes/top-warning.rst

QubesOS has a `backup utility <https://www.qubes-os.org/doc/backup-restore/>`_
that allows for backup and restoration of user-specified VMs.
QubesOS has a `backup utility <https://www.qubes-os.org/doc/backup-restore/>`_
that allows for backup and restoration of user-specified VMs.

To perform backups, you will need:

- a LUKS-encrypted external hard drive, with at least 50GB space
- a secure place to store backup credentials (such as a password manager
on your primary laptop)
on your primary laptop)

Backup
Backup
------

Preserve files from ``dom0``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Preserve key configuration files by coping them into the
Preserve key configuration files by coping them into the
``vault`` VM.

In a ``dom0`` Terminal via **Q ▸ Terminal Emulator**:
Expand All @@ -31,12 +31,12 @@ In a ``dom0`` Terminal via **Q ▸ Terminal Emulator**:
Open a ``vault`` Terminal and verify that the files were copied successfully:

.. code-block:: sh

head -n1 ~/QubesIncoming/dom0/sd-journalist.sec # line contains "BEGIN PRIVATE KEY BLOCK"
grep -q descriptor ~/QubesIncoming/dom0/config.json && echo OK # line is "OK"

.. note::
If you have made advanced customizations to your Qubes Workstation,
If you have made advanced customizations to your Qubes Workstation,
you may need to back up additional components of ``dom0``. Refer to
the `Qubes documentation <https://www.qubes-os.org/doc/backup-restore/>`_
or contact Support.
Expand All @@ -47,33 +47,33 @@ Back up SecureDrop Workstation
Ensure your storage medium is plugged in, attached to ``sd-devices``,
and unlocked.

Navigate to **Q ▸ System Tools ▸ Backup Qubes**, and move all VMs from
"Selected" to "Available" by pressing the ``<<`` button.
Navigate to **Q ▸ Qubes Tools ▸ Backup Qubes**, and move all VMs from
"Selected" to "Available" by pressing the ``<<`` button.

To target a VM for backup, highlight it and move it into the "Selected"
To target a VM for backup, highlight it and move it into the "Selected"
column by pressing the ``>`` button. Select:

- the ``vault`` VM
- any customized VMs that you may wish to preserve.

You do not need to back up the ``sd-`` VMs.

Click "Next", and in "Backup destination," specify the VM and directory
Click "Next", and in "Backup destination," specify the VM and directory
corresponding to your storage medium's current mount point.

Set a strong, unique backup passphrase (7-word diceware), and ensure this
passphrase is stored securely outside SecureDrop Workstation.
Set a strong, unique backup passphrase (7-word diceware), and ensure this
passphrase is stored securely outside SecureDrop Workstation.

.. note::
This passphrase protects sensitive
.. note::
This passphrase protects sensitive
components of your SecureDrop instance, including the *Submission Private Key*.
Ensure that it is a very strong password and is stored securely.
Ensure that it is a very strong password and is stored securely.

Uncheck "save backup profile," then proceed with the backup.

QubesOS recommends verifying the integrity of the backup once the backup
QubesOS recommends verifying the integrity of the backup once the backup
completes. This can be done by using the Restore Backup GUI tool and selecting
"Verify backup integrity, but do not restore the data." For details, see the
"Verify backup integrity, but do not restore the data." For details, see the
`QubesOS backup documentation <https://www.qubes-os.org/doc/backup-restore/>`_.

Restore
Expand All @@ -82,34 +82,34 @@ Restore
Reinstall QubesOS
~~~~~~~~~~~~~~~~~

To restore SecureDrop Workstation, follow our
To restore SecureDrop Workstation, follow our
:doc:`pre-install tasks <install>` to provision a QubesOS system complete with
updated base templates. This time, during the installation wizard, un-check
updated base templates. This time, during the installation wizard, un-check
``create default application qubes (personal, work, untrusted, vault)``.

Restore Backup
~~~~~~~~~~~~~~

Plug in your backup medium and unlock it as during the backup. By default
on a new system, your peripheral devices will be managed by a VM called
``sys-usb``.
on a new system, your peripheral devices will be managed by a VM called
``sys-usb``.

Navigate to **Q ▸ System Tools ▸ Restore Backup**, and enter the
location of the backup file. You do not need to adjust the default Restore
Navigate to **Q ▸ Qubes Tools ▸ Restore Backup**, and enter the
location of the backup file. You do not need to adjust the default Restore
options, unless you have made customizations to the backup. Enter the
decryption/verification passphrase, and proceed to restoring the available
qubes (which should include the ``vault`` VM).

Reinstall SecureDrop Workstation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Create a VM called ``work`` with default networking settings:
Create a VM called ``work`` with default networking settings:

.. code-block:: sh

qvm-create -l blue work

Then, :ref:`download and verify <download_rpm>` the SecureDrop Workstation
Then, :ref:`download and verify <download_rpm>` the SecureDrop Workstation
.rpm to the ``work`` VM and copy it to ``dom0``.

Once you have a valid .rpm file in ``dom0``, install the .rpm by running:
Expand All @@ -126,8 +126,8 @@ VM:
qvm-run --pass-io vault "cat QubesIncoming/dom0/sd-journalist.sec > /tmp/sd-journalist.sec"
qvm-run --pass-io vault "cat QubesIncoming/dom0/config.json > /tmp/config.json"

Optionally, inspect each file before proceeding. The first
file should be an ASCII-armored GPG private key file, and the second is a
Optionally, inspect each file before proceeding. The first
file should be an ASCII-armored GPG private key file, and the second is a
one-line file with the format ``ONIONADDRESS:descriptor:x25519:AUTHTOKEN``.

Copy both files into place:
Expand All @@ -142,7 +142,7 @@ Verify that the configuration is valid:

sdw-admin --validate

If the above command does not produce any errors, the configuration is valid,
If the above command does not produce any errors, the configuration is valid,
and you may remove the configuration files from the ``vault`` VM:

.. code-block:: sh
Expand Down
Loading