diff --git a/client/securedrop_client/gui/conversation/export/export_wizard_page.py b/client/securedrop_client/gui/conversation/export/export_wizard_page.py
index 983bbd5518..e83ecb1bd4 100644
--- a/client/securedrop_client/gui/conversation/export/export_wizard_page.py
+++ b/client/securedrop_client/gui/conversation/export/export_wizard_page.py
@@ -334,6 +334,8 @@ def __init__(self, export: Export, summary: str) -> None:
body = _(
"Please insert one of the export drives provisioned specifically "
"for the SecureDrop Workstation."
+ "
"
+ "If you're using a VeraCrypt drive, unlock it manually before proceeding."
)
super().__init__(export, header=header, body=body)
diff --git a/client/securedrop_client/locale/messages.pot b/client/securedrop_client/locale/messages.pot
index d7d99c3781..4535b46c52 100644
--- a/client/securedrop_client/locale/messages.pot
+++ b/client/securedrop_client/locale/messages.pot
@@ -276,9 +276,6 @@ msgstr ""
msgid "BACK"
msgstr ""
-msgid "Export {}"
-msgstr ""
-
msgid "No device detected"
msgstr ""
@@ -333,7 +330,7 @@ msgstr ""
msgid "Export Failed"
msgstr ""
-msgid "Please insert one of the export drives provisioned specifically for the SecureDrop Workstation."
+msgid "Please insert one of the export drives provisioned specifically for the SecureDrop Workstation.
If you're using a VeraCrypt drive, unlock it manually before proceeding."
msgstr ""
msgid "Remember to be careful when working with files outside of your Workstation machine."
diff --git a/debian/rules b/debian/rules
index 88d2cead3b..535ba6833b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -19,7 +19,10 @@ override_dh_strip_nondeterminism:
# Override debhelper's auto-generated files in `/etc/`
# to force an exact replacement of the files we are modifying
-# there (specifically, `/etc/apt/trusted.gpg.d/securedrop-keyring.gpg`).
+# there (specifically, `/etc/apt/trusted.gpg.d/securedrop-keyring.gpg`
+# for the keyring package and `/etc/udisks2/tcrypt.conf` for the
+# securedrop-export package).
override_dh_installdeb:
dh_installdeb
cat /dev/null > ${CURDIR}/debian/securedrop-keyring/DEBIAN/conffiles
+ cat /dev/null > ${CURDIR}/debian/securedrop-export/DEBIAN/conffiles
diff --git a/export/README.md b/export/README.md
index 796bcd068d..7c66cc72ff 100644
--- a/export/README.md
+++ b/export/README.md
@@ -86,34 +86,38 @@ For all device types (described in detail below), the following standard error t
The supported device types for export are as follows, including the possible errors specific to that device type:
-1. `disk-test` : Preflight check that probes for USB connected devices, that returns:
- - `DEVICE_WRITABLE` if a supported USB device is attached and unlocked
- - `DEVICE_LOCKED` if a supported drive is inserted but locked (a LUKS drive, since locked Veracrypt detection is not supported)
+1. `disk-test`: Preflight check that probes for USB connected devices, that returns:
- `NO_DEVICE_DETECTED`, `MULTI_DEVICE_DETECTED`: wrong number of inserted USB drives
- - `INVALID_DEVICE_DETECTED`: Wrong number of partitions, unsupported encryption scheme, etc
- - `UNKNOWN_DEVICE_DETECTED`: (Future use) this is what a locked drive that could be Veracrypt would return
+ - `INVALID_DEVICE_DETECTED`: Wrong number of partitions, unsupported encryption scheme, etc.
+ Note: locked VeraCrypt drives also return this status, and a hint is shown to the user that they must
+ manually unlock such drives before proceeding.
+ - `DEVICE_LOCKED` if a supported drive is inserted but locked (a LUKS drive, since locked Veracrypt detection is not supported)
+ - `DEVICE_WRITABLE` if a supported USB device is attached and unlocked. (Only used for Preflight check)
- `DEVICE_ERROR`: A problem was encountered and device state cannot be reported.
-2. `printer-test`: prints a test page that returns:
- - `ERROR_PRINTER_NOT_FOUND` if no printer is connected
- - `ERROR_PRINTER_NOT_SUPPORTED` if the printer is not currently supported by the export script
- - `ERROR_PRINTER_DRIVER_UNAVAILABLE` if the printer driver is not available
- - `ERROR_PRINTER_INSTALL` If there is an error installing the printer
- - `ERROR_PRINT` if there is an error printing
-
-3. `printer`: sends files to printer that returns:
+2. `disk`: Attempts to send files to disk. Can return any Preflight status except `DEVICE_WRITABLE`, as well as
+ the following status results below, which replace `DEVICE_WRITABLE` since they attempt the export action.
+ Because export is a linear process, a status such as `ERROR_EXPORT_CLEANUP` indicates that the file export
+ succeeded and the problem occurred after that point in the process.
+ - `ERROR_UNLOCK_LUKS` if LUKS decryption failed due to bad passphrase
+ - `ERROR_UNLOCK_GENERIC` if unlocking failed due to some other reason
+ - `ERROR_MOUNT` if there was an error mounting the volume
+ - `ERROR_UNMOUT_VOLUME_BUSY` if there was an error unmounting the drive after export
+ - `ERROR_EXPORT_CLEANUP` if there was an error removing temporary directories after export
+ - `SUCCESS_EXPORT`: Entire routine, including export and cleanup, was successful
+
+3. `printer-preflight`, `printer-test`: test the printer and ensure it is ready.
- `ERROR_PRINTER_NOT_FOUND` if no printer is connected
- `ERROR_PRINTER_NOT_SUPPORTED` if the printer is not currently supported by the export script
- `ERROR_PRINTER_DRIVER_UNAVAILABLE` if the printer driver is not available
+ - `ERROR_PRINTER_URI` if `lpinfo` fails to retrieve printer information
- `ERROR_PRINTER_INSTALL` If there is an error installing the printer
- `ERROR_PRINT` if there is an error printing
+ - `PRINT_PREFLIGHT_SUCCESS` if preflight checks were successful (Preflight only)
-4. `disk`: sends files to disk that returns:
- - `SUCCESS_EXPORT`: Successful
- - `ERROR_CLEANUP`: Export was successful but files could not be cleaned up or drive was not properly unmounted
- - `ERROR_UNLOCK_LUKS` if the luks decryption failed (likely due to bad passphrase)
- - `ERROR_MOUNT` if there was an error mounting the volume (after unlocking the luks volume)
- - `ERROR_WRITE` if there was an error writing to disk (e.g., no space left on device)
+4. `printer`: sends files to printer that returns any of the `printer-preflight` statuses except
+ `PRINT_PREFLIGHT_SUCCESS`, as well as:
+ - `PRINT_SUCCESS` if the job is dispatched successfully
### Export Folder Structure