GlobaLeaks Version 4 – Release Announcement

GlobaLeaks 4 includes an important update to its encryption model [1].

As this is a major update of GlobaLeaks we would like any existing and new user to carefully read this update message in order to reduce the possibilities of data loss. The new model implements automatic encryption for any submission data including questionnaire answers, comments and file metadata implementing a highly usable user interface where encryption is implemented in an automatic manner transparent to the user.

This new cryptographic model is implemented by default for new setups and optional for existing setups where it could be enabled through the advanced settings. This new version is released after a feature-freeze period, following the recent penetration test report released in 2020 [2] and is considered safe for update; we would recommend anyhow existing users to test the update and the enabling of the encryption feature in a pre-production environment following a backup procedure that is considered generally a best practice.

Following the new model, the system will automatically generate per-user keys at their first login and per-submission encryption keys making it impossible to access any information if not in possession of the user password. This means more security but also more possibility of data loss due to human errors. For this reason, the new system implements the possibility to export recovery keys (as personal backup for each user) and a key recovery mechanism that could be used by administrators to recover accounts in case users lose their passwords; both these features are enabled by default and are configurable as needed.

This update does not deprecate the functionality of the previous encryption method based on PGP keys protecting email notifications (for which the solution is still implemented and valid) and file attachments (for which we consider the new model to be more intuitive and usable by the general public).

For more details on the mentioned features and technical aspects, please refer to the official documentation [3].

The GlobaLeaks team would like to express our gratitude to the large number of volunteers, translators, developers, designers, UX researchers, auditors and users who participated in the development and testing of this release.

[1] https://www.globaleaks.org/docs/en/globaleaks-encryption-white-paper.pdf

[2] https://www.globaleaks.org/docs/en/penetration-tests.pdf

[3] https://docs.globaleaks.org

  • Share:
Send a Message