SecureDrop Deployment: Whistleblower Platform on Tor Hidden Service

SecureDrop uses an air-gapped security model with multiple specialized servers. The standard deployment includes: Application Server (houses the SecureDrop web application, receives submissions), Monitor Server (monitors Application Server health, sends alerts to journalist email), Secure Viewing Station (SVS, an air-gapped computer on Tails OS for reviewing submissions - never connected to internet), and Journalist Workstation (runs Tails OS, connects to SecureDrop via Tor to read submissions). The Application Server and Monitor Server are network-connected. The SVS is completely offline - submissions are transferred via encrypted USB drives. This architecture ensures that even if network-connected servers are compromised, submitted documents and journalist activities remain protected on the air-gapped SVS.

SecureDrop recommends dedicated hardware: Application Server (bare metal preferred, not VPS - for higher security against cloud provider access), Monitor Server (can be a second physical machine or VPS), Secure Viewing Station (dedicated laptop, ideally purchased with cash, running Tails OS), Admin Workstation (Tails OS for administration). For organizations without budget for dedicated hardware: VPS-based deployment is technically possible but the Freedom of the Press Foundation recommends physical hardware for the Application Server due to the potential for cloud provider access to VM memory and disk. Minimum specs: 2 vCPU, 4GB RAM, 20GB disk for the Application Server.

SecureDrop provides an Ansible-based installation playbook. Prerequisites: Ubuntu 20.04 on both servers, SSH access from Admin Workstation, and domain or .onion planning. The installation creates: Source interface .onion address (accessible to sources), Journalist interface .onion address (accessible only to approved journalists), and Admin interface. The two .onion addresses serve different functions: the source interface is published publicly for sources to submit documents, the journalist interface is kept private and distributed only to approved journalists. Installation documentation is maintained by the Freedom of the Press Foundation with very detailed step-by-step instructions.

The weakest link in SecureDrop is not technology but operational security. Key practices: never connect the Secure Viewing Station to the internet, always boot Journalist and Admin Workstations from Tails OS USB drives (not from installed OS), rotate SSH keys for server access regularly, audit who has access to journalist .onion addresses quarterly, never transfer documents from the SVS to internet-connected computers in unencrypted form, and maintain physical security of the SVS (locked in a secure room, access logged). Journalists should use the Journalist Workstation (Tails) only for SecureDrop activities, not for general browsing.

The Freedom of the Press Foundation (FPF) provides: free deployment assistance for qualifying news organizations, ongoing security updates and patches, operational security training for journalists and administrators, and emergency support for SecureDrop deployments facing security issues. The FPF maintains a directory of news organizations with active SecureDrop instances (securedrop.org/directory) - being listed increases source discoverability. FPF also audits SecureDrop code and coordinates vulnerability disclosure. Organizations deploying SecureDrop should join the SecureDrop mailing list for security announcements.