SecureDrop Style Tor VPS for Whistleblower Platforms

A submission server is the most security critical component of any whistleblower platform. It receives data from anonymous sources over Tor and must protect that data even if the operator's other systems are compromised. We deploy submission VPS with full disk encryption at provisioning time, systemd unit isolation that strips capabilities from every process, mandatory access control through AppArmor or SELinux, and outbound clearnet blocked at iptables. The only network presence is the Tor hidden service that accepts submissions.

The submission application itself runs as an unprivileged user with no shell. Submitted files are stored in a write only directory until journalists retrieve them through a separate journalist facing onion. We supply hardened Nginx and uWSGI templates for the typical Python submission application stack.

Journalists retrieve submissions through a separate VPS that is not directly reachable from the submission VPS. The two systems communicate only through Tor onion services with mutual authentication, so a compromise of the journalist VPS does not yield direct access to the submission store. We provide templates that pre-configure both sides with isolated onion v3 keys and Authorization headers backed by client certificates.

For high assurance deployments, the journalist VPS itself is wiped and rebuilt on a regular cadence using infrastructure as code. The state that matters lives on encrypted offline media held by named editors, not on the live VPS.

Anonymous billing protects the operator from coercion through the hosting layer. AnubizHost requires only an email at signup, accepts Bitcoin and Monero, and stores no telemetry about the order session. The drop platform is hosted in Romania or Iceland, jurisdictions where third party data requests must clear a substantive legal bar. We retain no traffic logs and no hypervisor side flow data. There is nothing to disclose, because nothing is recorded.

Operators who run drop platforms on behalf of NGOs or news organizations can fund the hosting through Monero donations with no link to the platform's onion address. The financial trail and the operational trail are kept separate at every layer of the stack.