SecureDrop VPS Hosting

SecureDrop's threat model is built around the assumption that sources are at substantial personal risk and that the submission system should not introduce any network-level metadata that could be used to identify them. The architecture exposes the source-facing application exclusively as a Tor v3 onion service. Sources connect through Tor Browser, the submission server has no clearnet IP exposed to source traffic, and the journalist-facing review interface is also a Tor onion service accessed from a hardened journalist workstation. This Tor-only deployment is non-negotiable and is the foundation of SecureDrop's anonymity guarantees.

An offshore VPS is well-suited to SecureDrop hosting because the deployment requires only the tor daemon binding to the network. All inbound clearnet traffic is dropped at the firewall, the web server binds to 127.0.0.1, and the tor daemon is the single process that bridges the application to the outside world. The VPS substrate just needs to provide stable storage, predictable resources and an offshore jurisdiction that respects the deployment's privacy posture. AnubizHost plans meet all three requirements without requiring deployment-specific customization.

Operating organizations frequently deploy two VPS instances: one for the SecureDrop application server and a separate one for the SecureDrop monitor server, which handles intrusion detection and security monitoring. The monitor server is itself Tor-only and exists to provide tamper-evident oversight of the application server. AnubizHost supports private interconnect between VPS instances in the same node, which lets operating organizations replicate the recommended two-server topology without exposing inter-server traffic to clearnet.

The hardening requirements for a SecureDrop instance go far beyond a typical web application. The operating organization runs a fully air-gapped journalist workstation (a SecureDrop Workstation built on Qubes OS in the current recommended configuration) for handling submitted documents. Submissions are downloaded from the SecureDrop server over Tor to the air-gapped workstation, where they are reviewed offline and any responses are encrypted and uploaded back to the server. The server itself never decrypts submissions; encryption is performed on the source's Tor Browser and decryption happens only on the air-gapped journalist workstation.

This means the VPS substrate handles only encrypted blobs. A breach of the VPS would not expose plaintext source documents because the decryption keys live exclusively on the air-gapped workstation. The VPS still needs strong hardening to prevent denial of service against sources and to detect intrusion attempts that would compromise the integrity of the deployment. SecureDrop ships with a comprehensive hardening playbook that the operating organization applies on top of the bare Linux install.

Operational discipline is the load-bearing component. The journalist workstation must remain genuinely air-gapped, with no USB keyboards plugged in mid-session, no wifi adapter accidentally enabled, no Bluetooth peripheral discoverable. The submission-handling protocol must be followed consistently across the journalist team; one careless reviewer who plugs a journalist laptop into a clearnet network while a submission is mounted defeats the entire system. The training requirement is substantial and the Freedom of the Press Foundation provides specific guidance for new deployments.

Operating organizations vary widely in their privacy posture for the hosting bill itself. Established news organizations typically pay through standard invoicing channels because their relationship with the SecureDrop deployment is public knowledge anyway. Smaller publications, NGOs and research projects often prefer crypto-only payment to keep the hosting relationship outside conventional financial trails. AnubizHost supports both models. Crypto payment via BTC, ETH, XMR or USDT and no KYC at signup let an operating organization initiate the hosting relationship with minimal identity disclosure if that fits their threat model.

At the hypervisor level we do not retain traffic captures or netflow archives for SecureDrop customer traffic beyond live abuse triage. The combination of Tor-only deployment and no-log host means there is essentially no network-level metadata that could be subpoenaed to identify sources or correlate submissions with specific Tor circuits. The protection is layered: the application-level encryption protects content, the Tor onion service protects source IP, and the no-log host means there is no audit trail at the substrate.

Jurisdiction choice for SecureDrop is a board-level decision for the operating organization. Iceland's constitutional press protections are a natural fit and several international publications have specifically chosen Iceland for their SecureDrop deployment. Romania provides EU jurisdiction with low latency to European sources and is an alternative for organizations that prefer EU legal framework familiarity. AnubizHost staff coordinate with the operating organization's counsel during provisioning to ensure the jurisdiction choice matches the publication's editorial protections needs.